In my Azure AD tenant, I currently have it configured so that users logging in for the first time must register at least one authentication method (e.g. an alternate email, a phone number). This is useful for MFA and self-service password reset (SSPR) - screenshot here.
I want to have several non-interactive service accounts that will not be configured for either MFA or for SSPR. Therefore, these non-interactive service accounts do not need alternate authentication methods. However, under my current setting, these service accounts are prompted to enter alternate authentication methods on first login:
This is extra inconvenient because, when adding an email, email verification is required, which doesn't allow us to do this programmatically (screenshot).
If I do just click "Cancel" on the "don't lose access to your account!" screen, I can simply proceed to sign-in without inputting alternate authentication methods (screenshot).
So the question is: how can I exclude a certain subset of users (e.g. non-interactive service accounts) from requiring alternate authentication info when first signing in?
We can include only a certain subset of groups for SSPR under Password Reset->Properties. This feature does not have an "Exclude" list, which makes it more difficult to implement.
More details in an MSDN forums post: https://social.msdn.microsoft.com/Forums/en-US/51affd2c-a2c8-4faa-bbd8-bd1773c985d4/how-to-exclude-a-subset-of-users-from-requiring-authentication-info-when-first-signing-in?forum=WindowsAzureAD&prof=required
