Forum Discussion

Derek Hymel's avatar
Derek Hymel
Copper Contributor
Sep 22, 2017

Bypass Azure MFA and Azure AD Connect Pass-Through Authentication

So here is a dilemma we are currently in.  We are in the process of rolling out MFA to our user base and have close to 60 locations all with different egress IP's.  We want to bypass MFA when the use...
Azure Active Directory (AAD)
MFA
Paul Cunningham's avatar
Paul Cunningham
Iron Contributor
Sep 24, 2017

If you have EMS licenses you could do device-based MFA bypass instead of network-based. The idea is that all networks are treated as hostile these days, there is no internal vs external etc.

Treat enrolled/compliant/domain-joined devices as not requiring MFA, and prompt for MFA on non-enrolled/non-compliant/non-domain devices. If you want to enhance that solution further you can add risk-based MFA prompts as well.

Carsten Due's avatar
Carsten Due
Copper Contributor
Nov 16, 2017

This does not require ADFS then? 

  • Nestori Syynimaa's avatar
    Nestori Syynimaa
    MVP
    Nov 20, 2017

    I agree with Carsten. For this scenario, you do need to deploy AD FS. After that you'll have a full control how to authenticate people and you can also bypass Azure MFA if needed.

     

    And I hope you're aware that PTA does not work with Skype for Business clients without password hash sync, which kind of ruins the whole idea of PTA. 

Resources