Home

MFA Enforced for O365Global admins - Trusted IPs bypass not working for Azure MFA server on-premise

%3CLINGO-SUB%20id%3D%22lingo-sub-163747%22%20slang%3D%22en-US%22%3EMFA%20Enforced%20for%20O365Global%20admins%20-%20Trusted%20IPs%20bypass%20not%20working%20for%20Azure%20MFA%20server%20on-premise%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-163747%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20Azure%20MFA%20server%20on-premises%26nbsp%3B%20and%20enforced%20MFA%20for%20all%20global%20admins%20(federated%20and%20cloud%20users).%20Now%20we%20would%20like%20to%20enable%20Trusted%20IPs%20to%20bypass%20MFA%26nbsp%3Bfor%20some%20IP%20ranges.%20So%20configured%20the%20Trusted%20IPs%20in%20the%20cloud.%20Looks%20like%20the%20trusted%20IPs%20bypass%20is%20not%20working%20for%20Azure%20MFA%20server'%20users%20(federated%20users%20who%20use%20Azure%20MFA%20on-premise).%20However%20works%20for%20cloud%20user%20who%20use%20Azure%20MFA%20online.%26nbsp%3B%20Any%20solution%20to%20get%20this%20working%20for%20both%20federated%20and%20cloud%20users.%20Evaluated%20conditional%20access%20policy%2C%20but%20enforcing%20MFA%20meets%20the%20requirement%20as%20we%20would%20like%20to%20ensure%20the%20admins%20use%20approved%20clients%20and%20PowerShell%20modules%20with%20no%20app%20passwords%20to%20connect%20to%20O365%20services.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-163747%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-164900%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20Enforced%20for%20O365Global%20admins%20-%20Trusted%20IPs%20bypass%20not%20working%20for%20Azure%20MFA%20server%20on-pre%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-164900%22%20slang%3D%22en-US%22%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-163959%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20Enforced%20for%20O365Global%20admins%20-%20Trusted%20IPs%20bypass%20not%20working%20for%20Azure%20MFA%20server%20on-pre%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-163959%22%20slang%3D%22en-US%22%3E%3CP%3ETrusted%20IPs%20only%20apply%20to%20Azure%20MFA%2C%20not%20the%20MFA%20server.%20There's%20a%20similar%20option%20in%20the%20MFA%20server%20settings%20on-premises%2C%20but%20it%20only%20applies%20to%20the%20User%20portal%2C%20afaik.%20You%20can%20easily%20configure%20bypass%20via%20the%20AD%20FS%20claims%20rules%20though%2C%20or%20simply%20enforce%20MFA%20only%20when%20the%20request%20is%20coming%20from%20the%20WAP%20server%20(externally).%3C%2FP%3E%3C%2FLINGO-BODY%3E
Mohan Seenippandian
Occasional Contributor

We have Azure MFA server on-premises  and enforced MFA for all global admins (federated and cloud users). Now we would like to enable Trusted IPs to bypass MFA for some IP ranges. So configured the Trusted IPs in the cloud. Looks like the trusted IPs bypass is not working for Azure MFA server' users (federated users who use Azure MFA on-premise). However works for cloud user who use Azure MFA online.  Any solution to get this working for both federated and cloud users. Evaluated conditional access policy, but enforcing MFA meets the requirement as we would like to ensure the admins use approved clients and PowerShell modules with no app passwords to connect to O365 services.

 

Thanks.

2 Replies

Trusted IPs only apply to Azure MFA, not the MFA server. There's a similar option in the MFA server settings on-premises, but it only applies to the User portal, afaik. You can easily configure bypass via the AD FS claims rules though, or simply enforce MFA only when the request is coming from the WAP server (externally).

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies