Forum Discussion
Solved
Is it good (or best) practice to exclude your office IP address from MFA requirements?
Should the office IP address allow users to sign-in without requiring MFA, or is it better to always require MFA, and keep the session active for e.g. 7 days?
- I think you should always require MFA even if coming from your IP. If you do MFA right you shouldnt be bothered by MFA authentication requests very often. The default is a rolling 90 days Window so as long you’re active more often than that you shouldn’t need to MFA often….
4 Replies
Adopting the Zero trust security model seems like the most rational way (Zero Trust security in Azure | Microsoft Learn).
- It depends on case-to-case basis, from the zero trust you will always enforce MFA, but If the user is logging from an office location the assumption, I make he has crossed all the necessary security gates to reach or connect office network like
1. showed some office ID to security, used the Office ID to gain access inside workstation has some username and password to log in to Wi-Fi access so in those cases I will exclude them from MFA as I assume there are some checks are done.
But keep in mind you must always enforce if the user is access to your guest WI-FI especially visitors.
The above are my thoughts for you to make a better decision as there is no straight forward answer
Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics. - I think you should always require MFA even if coming from your IP. If you do MFA right you shouldnt be bothered by MFA authentication requests very often. The default is a rolling 90 days Window so as long you’re active more often than that you shouldn’t need to MFA often….
- Perhaps not from a zero-trust perspective. Good read here https://danielchronlund.com/2022/01/07/the-attackers-guide-to-azure-ad-conditional-access/
