Forum Discussion

Derek Hymel's avatar
Derek Hymel
Copper Contributor
Sep 22, 2017

Bypass Azure MFA and Azure AD Connect Pass-Through Authentication

So here is a dilemma we are currently in.  We are in the process of rolling out MFA to our user base and have close to 60 locations all with different egress IP's.  We want to bypass MFA when the use...
Azure Active Directory (AAD)
MFA
Paul Cunningham's avatar
Paul Cunningham
Iron Contributor
Sep 24, 2017

If you have EMS licenses you could do device-based MFA bypass instead of network-based. The idea is that all networks are treated as hostile these days, there is no internal vs external etc.

Treat enrolled/compliant/domain-joined devices as not requiring MFA, and prompt for MFA on non-enrolled/non-compliant/non-domain devices. If you want to enhance that solution further you can add risk-based MFA prompts as well.

  • Daniel Park's avatar
    Daniel Park
    Copper Contributor
    Nov 17, 2017

    Hi Paul,

     

    I was wondering how to go about creating this MFA bypass by device status. Any help would be appreciated. And do you know if this would circumvent requiring an app password on the native iOS email client on Intune enrolled devices?

  • Carsten Due's avatar
    Carsten Due
    Copper Contributor
    Nov 16, 2017

    This does not require ADFS then? 

    • Nestori Syynimaa's avatar
      Nestori Syynimaa
      MVP
      Nov 20, 2017

      I agree with Carsten. For this scenario, you do need to deploy AD FS. After that you'll have a full control how to authenticate people and you can also bypass Azure MFA if needed.

       

      And I hope you're aware that PTA does not work with Skype for Business clients without password hash sync, which kind of ruins the whole idea of PTA. 

Resources