locked
MFA and AD premium RRS feed

  • Question

  • Hi,

    we are using azure ad conditional access. Since we have some AD premium licenses in our tenenat, we have the possibility to use IP whitelisting. It seems that MFA works just fine without enable it for any user, all users have MFA disabled when I look at the users but MFA triggered by conditional access works just fine anyway, how is that possible?

    Regards,

    UC

    Wednesday, August 31, 2016 5:26 PM

Answers

  • I'm not sure I understand the question, but when you configure Conditional Access for specific applications, the access rules available are "Require MFA", "Require MFA when not at work" and "Block access when not at work". If you use the "Require MFA" policy, then it doesn't use MFA Trusted IPs and MFA is always required to access that app. If you use the "Require MFA when not at work" policy, then it uses MFA Trusted IPs to determine whether the user is inside or outside the network, and only requires MFA if the user is coming from an untrusted IP address.
    Thursday, September 1, 2016 6:55 PM

All replies

  • Hello,

    We are checking on the query and would get back to you soon on this.
    I apologize for the inconvenience and appreciate your time and patience in this matter.

    Regards,
    Neelesh

    Thursday, September 1, 2016 1:40 PM
  • I'm not sure I understand the question, but when you configure Conditional Access for specific applications, the access rules available are "Require MFA", "Require MFA when not at work" and "Block access when not at work". If you use the "Require MFA" policy, then it doesn't use MFA Trusted IPs and MFA is always required to access that app. If you use the "Require MFA when not at work" policy, then it uses MFA Trusted IPs to determine whether the user is inside or outside the network, and only requires MFA if the user is coming from an untrusted IP address.
    Thursday, September 1, 2016 6:55 PM
  • Hi and thank you for your reply. 

    How are we charged for the MFA logins? Since we don't have any MFA licenses connected to any of our users but they are still able to login using MFA Exchange and sharepoint conditional access?

    UC

    Saturday, September 3, 2016 5:31 PM
  • MFA is included with Azure AD Premium, which is required to use Conditional Access. So if you are using Conditional Access, you need to ensure that you have a sufficient number of AAD Premium licenses to cover those users.
    Tuesday, September 13, 2016 10:33 PM