Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

ADFS + Cloud MFA

Copper Contributor

I'm working with a client that has ADFS and Cloud MFA enabled.  We noticed that MFA challenges are only occurring for users going through the WAP and not the ADFS server directly.  In other words, if they're on the corporate network or VPN, MFA challenges are by-passed completely.  Now access through the WAP I think uses FBA while access from the corporate network uses Windows Integrated Auth.  Does anyone know why only off-network users are being challenged by MFA?  

2 Replies
best response confirmed by Michael Weber (Copper Contributor)
Solution

You either have added your internal network as Trusted location in the Azure MFA admin panel, or are sending the "bypass" claim with requests coming from internal sources. WIA or FBA make no difference here, you can force MFA challenge for any form of primary authentication.

Thanks.  IP ranges were tripping me up.

1 best response

Accepted Solutions
best response confirmed by Michael Weber (Copper Contributor)
Solution

You either have added your internal network as Trusted location in the Azure MFA admin panel, or are sending the "bypass" claim with requests coming from internal sources. WIA or FBA make no difference here, you can force MFA challenge for any form of primary authentication.

View solution in original post