05-16-2017 06:45 AM
05-16-2017 06:45 AM
We are currently testing out Azure MFA, but want to skip requests when the users is on our corporate network. I have the "Skip multi-factor authentication for requests from following range of IP address subnets", but notice it has a limit of 50 subnets. Well we have more than 50 subnets at multiple locations. We do not have ADFS in our environment and use password sync via ADConnect. I also have modern authentication enabled for Exchange Online.
I've been searching, but could not really find a definitive answer on how we could go about skipping MFA requests when users are on our corporate network.
Any help or guidance would be appreciated.
05-16-2017 11:49 AM
Those are the two ways available currently (here's a reference for others browsing the thread: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-s...). If you are hitting the 50 ranges limit, simply consolidate them in /16 or "bigger" blocks.
I'm not aware of any way to increase the limit, but you can always open a support case and ask.
05-24-2017 11:30 AM
Thanks for the response. I am currently looking into Named Locations with Conditional Access in Azure AD. It seems to have a higher limit.
Limitations - You can define a maximum of 60 named locations with one IP range assigned to each of them. If you have just one named location configured, you can define up to 500 IP ranges for it.
I will update on my findings for anyone else who may be interested.
06-01-2017 07:29 AM
I am playing around with them now and will let you know the outcome. I'm just hoping I just don't break something.
07-11-2017 01:53 PM
So just an FYI on my testing of conditional access within Azure AD. There does not look like there is anyway to configure conditional access to resolve the 50 ip range limit. The exclusion features only look at the Trusted IP list and not the Named Locations. This is pretty disappointing. How are companies who want to enable MFA with more than 50 ip ranges supposed to bypass MFA if they are on premise?
07-11-2017 11:43 PM
Well I guess one option will be to use MFA server on-prem, where you have more control over things.
07-03-2018 09:29 AM
09-18-2018 02:54 PM
Is there a way around for this? 50 subnets is not enough. Can anyone please confirm if Microsoft support has a way around this?
09-20-2018 08:59 PM
I guess you cannot use this literally to bypass MFA, but you can enforce it outside trusted locations. So basically the same scenario with different approach. However, in this approach MFA must only be enabled for users, not enforced.
10-03-2018 08:01 AM
I don't think that this is right. According to the document linked above ...
you can create a named location with 1200 ip ranges, and then mark it as trusted. Then you can use this in an exclude on a CA policy that mandates the use of MFA.
All that said, if you have AAD P2 the AzureAD Identity Protection feature is better, it learns the patterns of users and determines login risk, use it to only requireMFA when the risk is medium or above and your users will be unlikely to eer see a prompt, but rogue login attempt will be thwarted.