Forum Discussion
Skip multi-factor authentication IP whitelist
Those are the two ways available currently (here's a reference for others browsing the thread: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-cloud). If you are hitting the 50 ranges limit, simply consolidate them in /16 or "bigger" blocks.
I'm not aware of any way to increase the limit, but you can always open a support case and ask.
Vasil,
Thanks for the response. I am currently looking into Named Locations with Conditional Access in Azure AD. It seems to have a higher limit.
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-named-locations
Limitations - You can define a maximum of 60 named locations with one IP range assigned to each of them. If you have just one named location configured, you can define up to 500 IP ranges for it.
I will update on my findings for anyone else who may be interested.
Thanks
But can you actually use them for MFA bypass?
VasilMichev I don't P1 or P2. How can i bypass MFA for trusted IP
I guess you cannot use this literally to bypass MFA, but you can enforce it outside trusted locations. So basically the same scenario with different approach. However, in this approach MFA must only be enabled for users, not enforced.
So just an FYI on my testing of conditional access within Azure AD. There does not look like there is anyway to configure conditional access to resolve the 50 ip range limit. The exclusion features only look at the Trusted IP list and not the Named Locations. This is pretty disappointing. How are companies who want to enable MFA with more than 50 ip ranges supposed to bypass MFA if they are on premise?
Could you not use network summary address for each location ?
