Forum Discussion
Azure Active Directory and ADFS support for Location based MFA ?
Any one knows if it is possible to kind of apply MFA only from like outside the defined trusted Networks and how to set this up if ADFS 3.0 is in play ? i tried to use just AAD Conditional Access Po...
You can use the claims rules engine to create rules that will apply MFA only on external logins. You cannot however limit this to only specific workflows, such as SPO. If you have such requirements, Azure AD Conditional Access is your best option.
Found this one, does someone know if this is the Best way to go if you have federated IDs and still want to use Conditional Access and Azure MFA ?
https://blog.kloud.com.au/2017/07/01/using-adfs-on-premises-mfa-with-azure-ad-conditional-access/
Cheers
Ueli
Thank you, i figured that as well regarding claim rules.
I have another question in the meantime though regarding the Conditional Access.
Does this should work as well with Federated IDs or just with Cloud only an PTA and SSO Synced AD Accounts?
I justed created a Conditional Access Rules which should require me to use MFA if im not coming from a Trusted IP Range and if accessing SharePoint Online from Browser but no other target in Browser and no Modern Authentication App and it seems not to work for federated IDs.
So for them i always have to use ADFS Claim Rules or is there something wrong with my Rule ?
Best regards
Ueli
Conditional access will work for federated scenarios, but it only applies to legacy auth. They just started previewing CA support for blocking legacy auth, so you can use the relevant controls as needed.
It's still much easier to distinguish between external/internal access via AD FS claims rules, provided you use the recommended setup of AD FS servers + proxies.
