Home

MFA Azure and Office Admin Portal

%3CLINGO-SUB%20id%3D%22lingo-sub-742410%22%20slang%3D%22en-US%22%3EMFA%20Azure%20and%20Office%20Admin%20Portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-742410%22%20slang%3D%22en-US%22%3E%3CP%3E1.%20MFA%20only%20when%20users%20access%20Azure%20Admin%20Portal%3CBR%20%2F%3E2.%20MFA%20only%20when%20users%20access%20Office%20365%20Admin%20Portal%3CBR%20%2F%3E3.%20Same%20must%20not%20go%20through%20MFA%20on%20other%20apps%2Fservices%20like%20outlook%2C%20teams%20etc..%3CBR%20%2F%3E4.%20Also%20what%20can%20i%20do%20in%20the%20situation%20when%20MFA%20service%20is%20not%20available%20%3F%20I%20prefer%20using%20CA%20conditional%20access%20for%20this%20as%20same%20admin%20whose%20is%20suppose%20to%20do%20MFA%20while%20logging%20on%20to%20anyone%20of%20these%20Admin%20Portals%20however%20in%20case%20MFA%20service%20has%20an%20issue%20or%20is%20not%20available%20for%20some%20reason%2C%3C%2FP%3E%3CP%3Ehow%20or%20what%20configuration%20i%20can%20keep%20in%20place%20before%20hand%20and%20do%20minimal%20to%20quickly%20avoid%20MFA%20prompt%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-742410%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMFA%20Azure%20and%20Office%20Admin%20Portal%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-742443%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20Azure%20and%20Office%20Admin%20Portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-742443%22%20slang%3D%22en-US%22%3EI%20believe%20this%20is%20what%20you%20want%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-based-mfa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fapp-based-mfa%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-742581%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20Azure%20and%20Office%20Admin%20Portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-742581%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F174201%22%20target%3D%22_blank%22%3E%40Rhys%20Williams%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENo%20that%20doesnt%20work%20as%20shown%20i%20did%20a%20simple%20test%20configured%20a%20policy%20selected%20a%20users%20said%20require%20MFA%20for%20all%20cloud%20app%20but%20excluded%202%20exchange%20online%20and%20teams%20and%20kept%20getting%20prompted%20for%20MFA%20on%20those%20two%20everytime%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-742589%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20Azure%20and%20Office%20Admin%20Portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-742589%22%20slang%3D%22en-US%22%3ECan%20you%20try%20using%20the%20%22What%20if%22%20function%20on%20your%20conditional%20access%20policy%2C%20experiment%20with%20some%20different%20scenarios%20and%20report%20back%3F%20It%20may%20be%20that%20your%20policy%20is%20overlapping%20with%20some%20apps%20causing%20it%20to%20MFA%20where%20it%20shouldnt.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-742943%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20Azure%20and%20Office%20Admin%20Portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-742943%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20cannot%20target%20specific%20O365%20portals%2Fendpoints%20with%20CA%20policies%2C%20best%20you%20can%20do%20is%20target%20the%20Azure%20ones%20as%20detailed%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Fconditional-access-azure-management%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Fconditional-access-azure-management%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20for%20a%20%22bypass%22%20option%2C%20I%20prefer%20using%20%22known%20IPs%22%2F%22trusted%20locations%22%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Flocation-condition%23trusted-ips%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Flocation-condition%23trusted-ips%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-751740%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20Azure%20and%20Office%20Admin%20Portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-751740%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20it%20is%20clear%20if%20it%20is%20not%20possible%20configure%20Azure%20MFA%20for%20Admin%20Portals%20only%2C%3C%2FP%3E%3CP%3Ehow%20would%20you%20recommend%20using%20trusted%20IPs%20for%20devices%20behind%20cloud%20based%20Proxy%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

1. MFA only when users access Azure Admin Portal
2. MFA only when users access Office 365 Admin Portal
3. Same must not go through MFA on other apps/services like outlook, teams etc..
4. Also what can i do in the situation when MFA service is not available ? I prefer using CA conditional access for this as same admin whose is suppose to do MFA while logging on to anyone of these Admin Portals however in case MFA service has an issue or is not available for some reason,

how or what configuration i can keep in place before hand and do minimal to quickly avoid MFA prompt

5 Replies

@Rhys Williams 

No that doesnt work as shown i did a simple test configured a policy selected a users said require MFA for all cloud app but excluded 2 exchange online and teams and kept getting prompted for MFA on those two everytime

Can you try using the "What if" function on your conditional access policy, experiment with some different scenarios and report back? It may be that your policy is overlapping with some apps causing it to MFA where it shouldnt.

You cannot target specific O365 portals/endpoints with CA policies, best you can do is target the Azure ones as detailed here: https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management

 

As for a "bypass" option, I prefer using "known IPs"/"trusted locations": https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#truste...

@Vasil Michev 

 

So it is clear if it is not possible configure Azure MFA for Admin Portals only,

how would you recommend using trusted IPs for devices behind cloud based Proxy ?

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies