Hello,We are currently testing out Azure MFA, but want to skip requests when the users is on our corporate network. I have the "Skip multi-factor authentication for requests from following range of IP address subnets", but notice it has a limit of 50 subnets. Well we have more than 50 subnets at multiple locations. We do not have ADFS in our environment and use password sync via ADConnect. I also have modern authentication enabled for Exchange Online. I've been searching, but could not really find a definitive answer on how we could go about skipping MFA requests when users are on our corporate network. Any help or guidance would be appreciated.

Those are the two ways available currently (here's a reference for others browsing the thread: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-cloud). If you are hitting the 50 ranges limit, simply consolidate them in /16 or "bigger" blocks. I'm not aware of any way to increase the limit, but you can always open a support case and ask.

Vasil, Thanks for the response. I am currently looking into Named Locations with Conditional Access in Azure AD. It seems to have a higher limit. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-named-locations Limitations - You can define a maximum of 60 named locations with one IP range assigned to each of them. If you have just one named location configured, you can define up to 500 IP ranges for it. I will update on my findings for anyone else who may be interested. Thanks

But can you actually use them for MFA bypass?

I am playing around with them now and will let you know the outcome. I'm just hoping I just don't break something.

So just an FYI on my testing of conditional access within Azure AD. There does not look like there is anyway to configure conditional access to resolve the 50 ip range limit. The exclusion features only look at the Trusted IP list and not the Named Locations. This is pretty disappointing. How are companies who want to enable MFA with more than 50 ip ranges supposed to bypass MFA if they are on premise?

Skip multi-factor authentication IP whitelist

VasilMichev
MVP
May 16, 2017
Those are the two ways available currently (here's a reference for others browsing the thread: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-cloud). If you are hitting the 50 ranges limit, simply consolidate them in /16 or "bigger" blocks.

I'm not aware of any way to increase the limit, but you can always open a support case and ask.
- Dphyme76
  Copper Contributor
  May 24, 2017
  Vasil,
  
  Thanks for the response. I am currently looking into Named Locations with Conditional Access in Azure AD. It seems to have a higher limit.
  
  https://docs.microsoft.com/en-us/azure/active-directory/active-directory-named-locations
  
  Limitations - You can define a maximum of 60 named locations with one IP range assigned to each of them. If you have just one named location configured, you can define up to 500 IP ranges for it.
  
  I will update on my findings for anyone else who may be interested.
  
  Thanks
  - VasilMichev
    MVP
    May 25, 2017
    But can you actually use them for MFA bypass?
- MooreSecurity
  Brass Contributor
  Jul 03, 2018
  Is there any way to add a single public IP address instead of a range?
  Adding a public IP range would circumvent certain conditional access rules based on trusted locations, and could include an adversaries IP address.
  - VasilMichev
    MVP
    Jul 03, 2018
    Simply add an /32 range.
7CalltekCebu11 Sala Jr.
Copper Contributor
Sep 18, 2018
Hi All,

Is there a way around for this? 50 subnets is not enough. Can anyone please confirm if Microsoft support has a way around this?

Thanks,
Olson
- StevenC365
  MVP
  Oct 03, 2018
  I don't think that this is right. According to the document linked above ...
  
  https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/quickstart-configure-named-locations
  
  you can create a named location with 1200 ip ranges, and then mark it as trusted. Then you can use this in an exclude on a CA policy that mandates the use of MFA.
  
  All that said, if you have AAD P2 the AzureAD Identity Protection feature is better, it learns the patterns of users and determines login risk, use it to only requireMFA when the risk is medium or above and your users will be unlikely to eer see a prompt, but rogue login attempt will be thwarted.
Jerod_Howell
Copper Contributor
Feb 23, 2021
Dphyme76

Forum Discussion

Skip multi-factor authentication IP whitelist

Share

Resources