Home

Bypass Azure MFA and Azure AD Connect Pass-Through Authentication

%3CLINGO-SUB%20id%3D%22lingo-sub-109309%22%20slang%3D%22en-US%22%3EBypass%20Azure%20MFA%20and%20Azure%20AD%20Connect%20Pass-Through%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-109309%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20here%20is%20a%20dilemma%20we%20are%20currently%20in.%20%26nbsp%3BWe%20are%20in%20the%20process%20of%20rolling%20out%20MFA%20to%20our%20user%20base%20and%20have%20close%20to%2060%20locations%20all%20with%20different%20egress%20IP's.%20%26nbsp%3BWe%20want%20to%20bypass%20MFA%20when%20the%20user%20is%20connected%20to%20the%20corporate%20network%2C%20but%20the%20problem%20is%20the%2050%20IP%20range%20limit%20that%20is%20set%20in%20the%20trusted%20IP's%20section%20for%20MFA%20configuration.%20%26nbsp%3BIMO%20that's%20pretty%20low%20considering%20how%20hard%20MS%20is%20pushing%20people%20to%20get%20MFA%20enabled.%20%26nbsp%3BSo%20after%20some%20research%20and%20discussions%20I%20wanted%20to%20get%20someone%20elses%20take%20on%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20enabling%20AD%20Connect%20Pass-Through%20Authentication%20in%20our%20environment%20mitigate%20this%20to%20where%20MFA%20is%20bypassed%20since%20the%20user%20is%20already%20authenticated%3F%20%26nbsp%3BAre%20there%20any%20other%20alternatives%20or%20are%20we%20stuck%20with%20the%20trusted%20IP%20limit%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advanced.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-109309%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMulti-Factor%20Authentication%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129516%22%20slang%3D%22en-US%22%3ERe%3A%20Bypass%20Azure%20MFA%20and%20Azure%20AD%20Connect%20Pass-Through%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129516%22%20slang%3D%22en-US%22%3E%3CP%3EI%20agree%20with%20Carsten.%20For%20this%20scenario%2C%20you%20do%20need%20to%20deploy%20AD%20FS.%20After%20that%20you'll%20have%20a%20full%20control%20how%20to%20authenticate%20people%20and%20you%20can%20also%20bypass%20Azure%20MFA%20if%20needed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20I%20hope%20you're%20aware%20that%20PTA%20does%20not%20work%20with%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconnect%2Factive-directory-aadconnect-pass-through-authentication-current-limitations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESkype%20for%20Business%20clients%20%3C%2FA%3Ewithout%20password%20hash%20sync%2C%20which%20kind%20of%20ruins%20the%20whole%20idea%20of%20PTA.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-129219%22%20slang%3D%22en-US%22%3ERe%3A%20Bypass%20Azure%20MFA%20and%20Azure%20AD%20Connect%20Pass-Through%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-129219%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Paul%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20wondering%20how%20to%20go%20about%20creating%20this%20MFA%20bypass%20by%20device%20status.%20Any%20help%20would%20be%20appreciated.%20And%20do%20you%20know%20if%20this%20would%20circumvent%20requiring%20an%20app%20password%20on%20the%20native%20iOS%20email%20client%20on%20Intune%20enrolled%20devices%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-128560%22%20slang%3D%22en-US%22%3ERe%3A%20Bypass%20Azure%20MFA%20and%20Azure%20AD%20Connect%20Pass-Through%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-128560%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20does%20not%20require%20ADFS%20then%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-110090%22%20slang%3D%22en-US%22%3ERe%3A%20Bypass%20Azure%20MFA%20and%20Azure%20AD%20Connect%20Pass-Through%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-110090%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Ulf%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20wish%20it%20were%20that%20simple.%20%26nbsp%3BAll%20our%20egress%20IP's%20at%20the%20branch%20locations%20are%20different%20so%20if%20I%20enter%20a%20subnet%20range%20then%20I%20would%20be%20potentially%20adding%20IP's%20that%20we%20do%20not%20own.%20%26nbsp%3BThanks%20for%20the%20suggestion%20though.%20%26nbsp%3BI%20do%20appreciate%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-109779%22%20slang%3D%22en-US%22%3ERe%3A%20Bypass%20Azure%20MFA%20and%20Azure%20AD%20Connect%20Pass-Through%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-109779%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Derek%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Earen't%20you%20able%20to%20use%20%22Supernetting%22%20(combining%20multiple%20networks%20into%20a%20larger%20network%2C%20which%20is%20only%20a%20representation%20but%20does%20not%20reflect%20the%20physical%20network)%3F%20E.g.%20combining%2010.1.1.x%2F24%2C%2010.1.2.x%2F24%20and%2010.1.3.x%2F24%20to%2010.1.1.x%2F22%20(which%20includes%20all%20adresses%20from%2010.1.0.1%20to%2010.1.3.255)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20should%20work%20and%20could%20help%20your%20issue%20if%20you%20have%20%22connecting%20network%20ranges%22%20in%20different%20networks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBr%2C%20Ulf%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-109717%22%20slang%3D%22en-US%22%3ERe%3A%20Bypass%20Azure%20MFA%20and%20Azure%20AD%20Connect%20Pass-Through%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-109717%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20have%20EMS%20licenses%20you%20could%20do%20device-based%20MFA%20bypass%20instead%20of%20network-based.%20The%20idea%20is%20that%20all%20networks%20are%20treated%20as%20hostile%20these%20days%2C%20there%20is%20no%20internal%20vs%20external%20etc.%3CBR%20%2F%3E%3CBR%20%2F%3ETreat%20enrolled%2Fcompliant%2Fdomain-joined%20devices%20as%20not%20requiring%20MFA%2C%20and%20prompt%20for%20MFA%20on%20non-enrolled%2Fnon-compliant%2Fnon-domain%20devices.%20If%20you%20want%20to%20enhance%20that%20solution%20further%20you%20can%20add%20risk-based%20MFA%20prompts%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-109655%22%20slang%3D%22en-US%22%3ERe%3A%20Bypass%20Azure%20MFA%20and%20Azure%20AD%20Connect%20Pass-Through%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-109655%22%20slang%3D%22en-US%22%3E%3CP%3EI%20assume%20you're%20talking%20about%20Azure%20MFA%3F%20Then%20you%20are%20indeed%20a%20bit%20limited%20although%20the%20limit%20has%20been%20discussed%20a%20lot%20lately%2C%20so%20I%20expect%20Microsoft%20to%20address%20this%20in%20the%20future.%20Perhaps%20some%20announcement%20will%20be%20made%20at%20Ignite%20next%20week%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Derek Hymel
Occasional Contributor

So here is a dilemma we are currently in.  We are in the process of rolling out MFA to our user base and have close to 60 locations all with different egress IP's.  We want to bypass MFA when the user is connected to the corporate network, but the problem is the 50 IP range limit that is set in the trusted IP's section for MFA configuration.  IMO that's pretty low considering how hard MS is pushing people to get MFA enabled.  So after some research and discussions I wanted to get someone elses take on this.

 

Would enabling AD Connect Pass-Through Authentication in our environment mitigate this to where MFA is bypassed since the user is already authenticated?  Are there any other alternatives or are we stuck with the trusted IP limit?

 

Thanks in advanced.

7 Replies

I assume you're talking about Azure MFA? Then you are indeed a bit limited although the limit has been discussed a lot lately, so I expect Microsoft to address this in the future. Perhaps some announcement will be made at Ignite next week?

If you have EMS licenses you could do device-based MFA bypass instead of network-based. The idea is that all networks are treated as hostile these days, there is no internal vs external etc.

Treat enrolled/compliant/domain-joined devices as not requiring MFA, and prompt for MFA on non-enrolled/non-compliant/non-domain devices. If you want to enhance that solution further you can add risk-based MFA prompts as well.

Hi Derek,

 

aren't you able to use "Supernetting" (combining multiple networks into a larger network, which is only a representation but does not reflect the physical network)? E.g. combining 10.1.1.x/24, 10.1.2.x/24 and 10.1.3.x/24 to 10.1.1.x/22 (which includes all adresses from 10.1.0.1 to 10.1.3.255)?

 

This should work and could help your issue if you have "connecting network ranges" in different networks.

 

Br, Ulf

Hi Ulf,

 

I wish it were that simple.  All our egress IP's at the branch locations are different so if I enter a subnet range then I would be potentially adding IP's that we do not own.  Thanks for the suggestion though.  I do appreciate it.

This does not require ADFS then? 

Hi Paul,

 

I was wondering how to go about creating this MFA bypass by device status. Any help would be appreciated. And do you know if this would circumvent requiring an app password on the native iOS email client on Intune enrolled devices?

I agree with Carsten. For this scenario, you do need to deploy AD FS. After that you'll have a full control how to authenticate people and you can also bypass Azure MFA if needed.

 

And I hope you're aware that PTA does not work with Skype for Business clients without password hash sync, which kind of ruins the whole idea of PTA. 

Related Conversations
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies