Forum Discussion

Brass Contributor

Aug 29, 2023

Solved

What is the recommendation about security measurement for logging from different IP addresses

Hi all, I have a question about MFA. When the managed devices travel to a different location, should we prompt for MFA? What is the best practice these days? I know it varies at different orga...

identity and access management

identity protection

security

elieelkarkafi
Aug 31, 2023
Slee6004 I suggest you check again with the DUO team as I remember there are some tweaks to perform from the Duo portal to prevent such behavior. I used to implement Duo with MFA long time ago and we added the sign in frequency from CA side and we define some similar settings from DUO side as well. hope this will help.

elieelkarkafi

MVP

Aug 30, 2023

Slee6004 the best practice is to create a conditional access policy to block all countries from accessing your cloud apps and exclude only your local country where your employees are located. in case you have some employees, who traveling outside the country, you can simply exclude the public IP where they are relocating or the country location where they are. also in the condition you can device to allow access if the user is connected from an Azure AD or Hybrid AD join device.

the conditional access policy is not enabled by default, it is a setting that you can force within the CA policy in case you need your users to be evaluated and enforced near real time.

Key benefits

User termination or password change/reset: User session revocation is enforced in near real time.
Network location change: Conditional Access location policies are enforced in near real time.
Token export to a machine outside of a trusted network can be prevented with Conditional Access location policies.

Slee6004

Brass Contributor

Aug 31, 2023

Thank you, eliekarkafy for your feedback. As you suggested, we have trsuted location configured and block all countries except the one we are located. But with DUO MFA as the custom control, it prompts all the time even though users don't require it. It's all due to one of our CA policies (all apps from all users at all locations except trusted ones require DUO MFA. There is nothing wrong with it except extra MFA prompts cause MFA fatigue. These extra prompts are the one our security team has more concerns than devices have changed location so is willing to not prompt for location changes. This concept is different from what I have learned about security practices so just wanted to have some suggestions from the community.

Thanks again for your information. Appreciate it!

Sally

elieelkarkafi
MVP
Aug 31, 2023
Slee6004 I suggest you check again with the DUO team as I remember there are some tweaks to perform from the Duo portal to prevent such behavior. I used to implement Duo with MFA long time ago and we added the sign in frequency from CA side and we define some similar settings from DUO side as well. hope this will help.
- Slee6004
  Brass Contributor
  Aug 31, 2023
  Wow, that's really helpful! We will check with DUO and see if they can offer some help. Really appreciate your sharing experiences with us. Thank you once again!!!!