SOLVED

ADFS + Cloud MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-82363%22%20slang%3D%22en-US%22%3EADFS%20%2B%20Cloud%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-82363%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20working%20with%20a%20client%20that%20has%20ADFS%20and%20Cloud%20MFA%20enabled.%20%26nbsp%3BWe%20noticed%20that%20MFA%20challenges%20are%20only%20occurring%20for%20users%20going%20through%20the%20WAP%20and%20not%20the%20ADFS%20server%20directly.%26nbsp%3B%20In%20other%20words%2C%20if%20they're%20on%20the%20corporate%20network%20or%20VPN%2C%20MFA%20challenges%20are%20by-passed%20completely.%26nbsp%3B%20Now%20access%20through%20the%20WAP%20I%20think%20uses%20FBA%20while%20access%20from%20the%20corporate%20network%20uses%20Windows%20Integrated%20Auth.%26nbsp%3B%20Does%20anyone%20know%20why%20only%20off-network%20users%20are%20being%20challenged%20by%20MFA%3F%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-82363%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-82530%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20%2B%20Cloud%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-82530%22%20slang%3D%22en-US%22%3E%3CP%3EThanks.%26nbsp%3B%20IP%20ranges%20were%20tripping%20me%20up.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-82514%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20%2B%20Cloud%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-82514%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20either%20have%20added%20your%20internal%20network%20as%20Trusted%20location%20in%20the%20Azure%20MFA%20admin%20panel%2C%20or%20are%20sending%20the%20%22bypass%22%20claim%20with%20requests%20coming%20from%20internal%20sources.%20WIA%20or%20FBA%20make%20no%20difference%20here%2C%20you%20can%20force%20MFA%20challenge%20for%20any%20form%20of%20primary%20authentication.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Michael Weber
New Contributor

I'm working with a client that has ADFS and Cloud MFA enabled.  We noticed that MFA challenges are only occurring for users going through the WAP and not the ADFS server directly.  In other words, if they're on the corporate network or VPN, MFA challenges are by-passed completely.  Now access through the WAP I think uses FBA while access from the corporate network uses Windows Integrated Auth.  Does anyone know why only off-network users are being challenged by MFA?  

2 Replies
Solution

You either have added your internal network as Trusted location in the Azure MFA admin panel, or are sending the "bypass" claim with requests coming from internal sources. WIA or FBA make no difference here, you can force MFA challenge for any form of primary authentication.

Thanks.  IP ranges were tripping me up.

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies