Conditional Access to prompt MFA if user coming from untrusted location a.k.a exclude MFA from company intranet

Introduction:

Multi-factor authentication (MFA) is a method of confirming a user's claimed identity in which a user is granted access only after successfully presenting 2 or more pieces of evidence (or factors) to an authentication mechanism.

What is  Azure Multi-Factor Authentication ? Two-step verification is a method of authentication that requires more than one verification method and adds a critical second layer of security to user sign-ins and transactions.

Azure AD recommends that you require multi-factor authentication (MFA) for all your users, including administrators and all other users who would have a significant impact if their account was compromised (for example, financial officers). This reduces the risk of an attack due to a compromised password. For more information about Azure MFA,please refer https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication .

Problem:

I had requirement from customer to prompt for MFA only if user is trying to access o365 services from internet (un-trusted location) but supress the MFA if user connecting from on-prem network locations (LAN or WIFI ).

Solution:

In this blog post, we will see how to create conditional access to prompt for MFA, if user is coming from untrusted location to access any office 365 services.

How do i know the trusted locations ? how do i categorize the trusted vs untrusted locations ?

The Trusted IPs feature of Azure Multi-Factor Authentication is used by administrators of a managed or federated tenant. The feature bypasses two-step verification for users who sign in from the company intranet (LAN or WI-FI). The feature is available with the full version of Azure Multi-Factor Authentication, and not the free version for administrators

To know the IP subnet range of your office network locations, contact your network team who can help you to provide this information.

Once you have IP subnet information (ex: 202.50.14.96/27 ,202.60.196.192/28 etc) ,you need to define all these IP subnet information into MFA trusted IP’s.

To do this ,login to https://portal.azure.com , click on Azure Active Directory ,users blade. On the top ,you will see Multifactor authentication

image

Once the MFA portal opens, click on service settings

image

More information about the settings that you see in this page is given in Technet documentation  https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next#trusted-ips

Following are the settings that i would like to configure:

image

Once this is done ,we will now create conditional access policy to prompt for MFA if user trying to access o365 services from non-trusted location (not from intranet or IP subnet info that you define above).

Create New Conditional Access or use the existing one if you want. I would prefer new one only for MFA name it: Global-Allow-AllPlat-AllUnTrus-AllApps-ExtMFA

image

Assignments :

select users and groups that you want to apply this conditional access policy.

Cloud Apps:

Choose the apps that you want for MFA to be prompted

Conditions:

Device Platform: All Platform

Locations:

Include : any location

image

Exclude: selected locations and choose MFA trusted IPs that we added earlier with all ip subnets

All trusted locations , This option applies to:

All locations that have been marked as trusted location
MFA Trusted IPS (if configured)  For more information about all trusted locations and location evaluated ,read https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-locations

image

Client Apps: Select clients with browser ,mobile apps and desktop clients

Access Control: Require multi-factor authentication

image

With this ,we have completed setting up conditional access to prompt MFA from untrusted locations.

Evaluation results from the Conditional Access:

To check the conditional access results, you can use what if condition that was introduced recently.

On conditional access page ,click on What-If and enter the user name, choose cloud app ,choose device ,click on what if to see the evaluation results.

image

As you can see above, the conditional access with Grant controls ‘Require multi-factor authentication App’ is applied to the user.

Hope you enjoyed reading this article ,see you in next blog.

References: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next#trusted-ips

2 Responses to "Conditional Access to prompt MFA if user coming from untrusted location a.k.a exclude MFA from company intranet"

  1. Hello Eswar,

    I would like to know if it's possible to avoid mfa Prompt for users that are enrolled their devices as hybrid or compliance in a network out of company.
    I want that only users with untrusted devices be prompted with mfa screen and Azure ad joined and Hybrid or compliance not.
    And if it's possible do it on internet explorer and Google chrome.

    Thanks.

    Reply
    1. Hi Paulo,
      sorry for the delay. You can configure the on-prem or trusted location IP subnets into named locations in MFA settings that will suppressing the MFA prompt.

      Thanks,
      Eswar

      Reply

Post Comment