locked
using Conditional Access to enforce MFA, do i still need to enable MFA on the Users pane in Azure AD RRS feed

  • Question

  • I want to achieve that the users do not need to user MFA when there on the internal network.

    In Azure AD / Conditional Access I am creating a policy with an IP Range as an exception and then grant access to all users requiring MFA.

    Do i still need to enable MFA for all users in the Users part of the Azure AD or would this then overwrite my policy
    and the users would need to use MFA from also from the (internal IP Range)location?

    Thanks,
    Franck

    • Moved by vijisankar Wednesday, September 12, 2018 8:30 PM Better suited here & moved from Azure AD
    Wednesday, September 12, 2018 8:24 AM

All replies

  • "I want to achieve that the users do not need to user MFA when there on the internal network"

    You can create Trusted IP's in MFA or Named Locations in Conditional Access. Create subnets that match on-premises subnets and then allow access to those subnets. Reference : location condition in Azure Active Directory conditional access


    Conditional Access based MFA admins should never enable on top of the Conditional Access policy or you are bypassing the reason for using Conditional Access. 
    Conditional Access policy should include exceptions for IP ranges if that is what you are looking for. 

    Refer to this article calls out the ways to enable - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted#choose-how-to-enable

    Enabled by changing user state - This is the traditional method for requiring two-step verification. It works with both Azure MFA in the cloud and Azure MFA Server. Using this method requires users to perform two-step verification every time they sign in and overrides conditional access policies.

    Enabled by conditional access policy - This is the most flexible means to enable two-step verification for your users. Enabling using conditional access policy only works for Azure MFA in the cloud and is a premium feature of Azure AD.

    They are two different ways of looking at MFA, choose one of these methods to require two-step verification, not both. Enabling a user for Azure Multi-Factor Authentication overrides any conditional access policies.

    ---------------------------------------------------------------------------------------------

    If this answer was helpful, click “Mark as Answer” or “Up-Vote”. To provide additional feedback on your forum experience, click here

    • Proposed as answer by vijisankar Wednesday, September 12, 2018 8:29 PM
    • Edited by vijisankar Wednesday, September 12, 2018 9:08 PM Added Link
    Wednesday, September 12, 2018 8:29 PM
  • See this link https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
    • Proposed as answer by samyyysam Wednesday, September 12, 2018 8:29 PM
    Wednesday, September 12, 2018 8:29 PM
  • Checking in to see if the above answer helped. Let us know if there are still any additional issues we can help with. Do click “Mark as Answer” and Up-Vote the post that helps.

    Monday, September 17, 2018 10:29 AM