Forum Discussion

Anonymous's avatar
Anonymous
Jul 18, 2017

Require MFA OR Intune Enrollment/compliance when Outside the Trusted IP Range

My company is currently piloting MFA and we have recently deployed Intune for corporate Mobile devices.  We have our MFA setup so it only requires 2 step verification when a device is outside the cor...
Azure AD
Conditional Access
Intune
John Guy's avatar
John Guy
Brass Contributor
Jul 19, 2017

do you use AD FS?

  • Anonymous's avatar
    Anonymous
    Jul 19, 2017

    No ADFS, just have AD Connect syncing from On-prem to Azure AD.

    • James Stewart's avatar
      James Stewart
      Copper Contributor
      Apr 18, 2018

      Omar, any chance you found a solution to not force MFA for compliant devices?  I too have the same requirements, where we do not want to prompt for MFA when using a device that is "compliant". 

       

      It seems the conditional access policies simply do not work, at least in my experience.  I've configured a policy to require a device to be compliant, I can see the device is marked YES for compliant in Azure AD.  However, when using the same device to access to applications defined in the policy, I get he sorry, you can only access from "Devices or client applications that meet management compliance policy."

       

       

      • Charles Rohrer's avatar
        Charles Rohrer
        Copper Contributor
        Oct 22, 2018
        James,

        Did you figure out your issue?
        We had the issue, but that’s because we were using MFA via our office 365 and not though intune. Disabled O365 MFA and added it to Intune. That corrected it for us.
    • Michael Jones's avatar
      Michael Jones
      Brass Contributor
      Jul 21, 2017

      I do not want to assume. Are you testing this on the corp network or off? If off, this is more than likely by design as MFA is designed to be used for each login attempt unless on a trusted network.