Home

Skip multi-factor authentication IP whitelist

%3CLINGO-SUB%20id%3D%22lingo-sub-70314%22%20slang%3D%22en-US%22%3ESkip%20multi-factor%20authentication%20IP%20whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-70314%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EWe%20are%20currently%20testing%20out%20Azure%20MFA%2C%20but%20want%20to%20skip%20requests%20when%20the%20users%20is%20on%20our%20corporate%20network.%20%26nbsp%3BI%20have%20the%20%22%3CSPAN%3ESkip%20multi-factor%20authentication%20for%20requests%20from%20following%20range%20of%20IP%20address%20subnets%22%2C%20but%20notice%20it%20has%20a%20limit%20of%2050%20subnets.%20%26nbsp%3BWell%20we%20have%20more%20than%2050%20subnets%20at%20multiple%20locations.%20%26nbsp%3BWe%20do%20not%20have%20ADFS%20in%20our%20environment%20and%20use%20password%20sync%20via%20ADConnect.%20%26nbsp%3BI%20also%20have%20modern%20authentication%20enabled%20for%20Exchange%20Online.%20%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI've%20been%20searching%2C%20but%20could%20not%20really%20find%20a%20definitive%20answer%20on%20how%20we%20could%20go%20about%20skipping%20MFA%20requests%20when%20users%20are%20on%20our%20corporate%20network.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAny%20help%20or%20guidance%20would%20be%20appreciated.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-70314%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-266337%22%20slang%3D%22en-US%22%3ERe%3A%20Skip%20multi-factor%20authentication%20IP%20whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-266337%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EI%20don't%20think%20that%20this%20is%20right.%20According%20to%20the%20document%20linked%20above%20...%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fquickstart-configure-named-locations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fquickstart-configure-named-locations%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3Eyou%20can%20create%20a%20named%20location%20with%201200%20ip%20ranges%2C%20and%20then%20mark%20it%20as%20trusted.%26nbsp%3B%3C%2FSPAN%3EThen%20you%20can%20use%20this%20in%20an%20exclude%20on%20a%20CA%20policy%20that%20mandates%20the%20use%20of%20MFA.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAll%20that%20said%2C%20if%20you%20have%20AAD%20P2%20the%20AzureAD%20Identity%20Protection%20feature%20is%20better%2C%20it%20learns%20the%20patterns%20of%20users%20and%20determines%20login%20risk%2C%20use%20it%20to%20only%20requireMFA%20when%20the%20risk%20is%20medium%20or%20above%20and%20your%20users%20will%20be%20unlikely%20to%20eer%20see%20a%20prompt%2C%20but%20rogue%20login%20attempt%20will%20be%20thwarted.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-260030%22%20slang%3D%22en-US%22%3ERe%3A%20Skip%20multi-factor%20authentication%20IP%20whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-260030%22%20slang%3D%22en-US%22%3E%3CP%3EI%20guess%20you%20cannot%20use%20this%20literally%20to%20bypass%20MFA%2C%20but%20you%20can%20enforce%20it%20outside%20trusted%20locations.%20So%20basically%20the%20same%20scenario%20with%20different%20approach.%20However%2C%20in%20this%20approach%20MFA%26nbsp%3Bmust%20only%20be%20enabled%20for%20users%2C%20not%20enforced.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-254158%22%20slang%3D%22en-US%22%3ERe%3A%20Skip%20multi-factor%20authentication%20IP%20whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-254158%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20around%20for%20this%3F%2050%20subnets%20is%20not%20enough.%20Can%20anyone%20please%20confirm%20if%20Microsoft%20support%20has%20a%20way%20around%20this%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EOlson%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-211768%22%20slang%3D%22en-US%22%3ERe%3A%20Skip%20multi-factor%20authentication%20IP%20whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-211768%22%20slang%3D%22en-US%22%3E%3CP%3ESimply%20add%20an%20%2F32%20range.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-211763%22%20slang%3D%22en-US%22%3ERe%3A%20Skip%20multi-factor%20authentication%20IP%20whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-211763%22%20slang%3D%22en-US%22%3EIs%20there%20any%20way%20to%20add%20a%20single%20public%20IP%20address%20instead%20of%20a%20range%3F%3CBR%20%2F%3EAdding%20a%20public%20IP%20range%20would%20circumvent%20certain%20conditional%20access%20rules%20based%20on%20trusted%20locations%2C%20and%20could%20include%20an%20adversaries%20IP%20address.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-148791%22%20slang%3D%22en-US%22%3ERe%3A%20Skip%20multi-factor%20authentication%20IP%20whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-148791%22%20slang%3D%22en-US%22%3E%3CP%3ECould%20you%20not%20use%20network%20summary%20address%20for%20each%20location%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86637%22%20slang%3D%22en-US%22%3ERe%3A%20Skip%20multi-factor%20authentication%20IP%20whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86637%22%20slang%3D%22en-US%22%3E%3CP%3EWell%20I%20guess%20one%20option%20will%20be%20to%20use%20MFA%20server%20on-prem%2C%20where%20you%20have%20more%20control%20over%20things.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86534%22%20slang%3D%22en-US%22%3ERe%3A%20Skip%20multi-factor%20authentication%20IP%20whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86534%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3ESo%20just%20an%20FYI%20on%20my%20testing%20of%20conditional%20access%20within%20Azure%20AD.%20%26nbsp%3BThere%20does%20not%20look%20like%20there%20is%20anyway%20to%20configure%20conditional%20access%20to%20resolve%20the%2050%20ip%20range%20limit.%20%26nbsp%3BThe%20exclusion%20features%20only%20look%20at%20the%20Trusted%20IP%20list%20and%20not%20the%20Named%20Locations.%20This%20is%20pretty%20disappointing.%20%26nbsp%3BHow%20are%20companies%20who%20want%20to%20enable%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EMFA%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewith%20more%20than%2050%20ip%20ranges%20supposed%20to%20bypass%20MFA%20if%20they%20are%20on%20premise%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-74414%22%20slang%3D%22en-US%22%3ERe%3A%20Skip%20multi-factor%20authentication%20IP%20whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-74414%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20playing%20around%20with%20them%20now%20and%20will%20let%20you%20know%20the%20outcome.%20%26nbsp%3BI'm%20just%20hoping%20I%20just%20don't%20break%20something.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-72946%22%20slang%3D%22en-US%22%3ERe%3A%20Skip%20multi-factor%20authentication%20IP%20whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-72946%22%20slang%3D%22en-US%22%3E%3CP%3EBut%20can%20you%20actually%20use%20them%26nbsp%3Bfor%20MFA%20bypass%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-72780%22%20slang%3D%22en-US%22%3ERe%3A%20Skip%20multi-factor%20authentication%20IP%20whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-72780%22%20slang%3D%22en-US%22%3E%3CP%3EVasil%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20response.%20%26nbsp%3BI%20am%20currently%20looking%20into%20Named%20Locations%20with%20Conditional%20Access%20in%20Azure%20AD.%20%26nbsp%3BIt%20seems%20to%20have%20a%20higher%20limit.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20title%3D%22Named%20locations%20in%20Azure%20Active%20Directory%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-named-locations%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-named-locations%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ELimitations%3C%2FSTRONG%3E%3CSPAN%3E%20-%20You%20can%20define%20a%20maximum%20of%2060%20named%20locations%20with%20one%20IP%20range%20assigned%20to%20each%20of%20them.%20If%20you%20have%20just%20one%20named%20location%20configured%2C%20you%20can%20define%20up%20to%20500%20IP%20ranges%20for%20it.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20will%20update%20on%20my%20findings%20for%20anyone%20else%20who%20may%20be%20interested.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-70434%22%20slang%3D%22en-US%22%3ERe%3A%20Skip%20multi-factor%20authentication%20IP%20whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-70434%22%20slang%3D%22en-US%22%3E%3CP%3EThose%20are%20the%20two%20ways%20available%20currently%20(here's%20a%20reference%20for%20others%20browsing%20the%20thread%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmulti-factor-authentication%2Fmulti-factor-authentication-get-started-adfs-cloud%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fmulti-factor-authentication%2Fmulti-factor-authentication-get-started-adfs-cloud%3C%2FA%3E).%20If%20you%20are%20hitting%20the%2050%20ranges%20limit%2C%20simply%20consolidate%20them%20in%20%2F16%20or%20%22bigger%22%20blocks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20aware%20of%20any%20way%20to%20increase%20the%20limit%2C%20but%20you%20can%20always%20open%20a%20support%20case%20and%20ask.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Derek Hymel
Occasional Contributor

Hello,

We are currently testing out Azure MFA, but want to skip requests when the users is on our corporate network.  I have the "Skip multi-factor authentication for requests from following range of IP address subnets", but notice it has a limit of 50 subnets.  Well we have more than 50 subnets at multiple locations.  We do not have ADFS in our environment and use password sync via ADConnect.  I also have modern authentication enabled for Exchange Online.  

 

I've been searching, but could not really find a definitive answer on how we could go about skipping MFA requests when users are on our corporate network.

 

Any help or guidance would be appreciated.

12 Replies

Those are the two ways available currently (here's a reference for others browsing the thread: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-s...). If you are hitting the 50 ranges limit, simply consolidate them in /16 or "bigger" blocks.

 

I'm not aware of any way to increase the limit, but you can always open a support case and ask.

Vasil,

 

Thanks for the response.  I am currently looking into Named Locations with Conditional Access in Azure AD.  It seems to have a higher limit.

 

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-named-locations

 

Limitations - You can define a maximum of 60 named locations with one IP range assigned to each of them. If you have just one named location configured, you can define up to 500 IP ranges for it.

 

I will update on my findings for anyone else who may be interested.

 

Thanks

But can you actually use them for MFA bypass?

I am playing around with them now and will let you know the outcome.  I'm just hoping I just don't break something.

So just an FYI on my testing of conditional access within Azure AD.  There does not look like there is anyway to configure conditional access to resolve the 50 ip range limit.  The exclusion features only look at the Trusted IP list and not the Named Locations. This is pretty disappointing.  How are companies who want to enable MFA with more than 50 ip ranges supposed to bypass MFA if they are on premise?

Well I guess one option will be to use MFA server on-prem, where you have more control over things.

Could you not use network summary address for each location ?

Is there any way to add a single public IP address instead of a range?
Adding a public IP range would circumvent certain conditional access rules based on trusted locations, and could include an adversaries IP address.

Simply add an /32 range.

Hi All, 

 

Is there a way around for this? 50 subnets is not enough. Can anyone please confirm if Microsoft support has a way around this? 

 

Thanks,

Olson

I guess you cannot use this literally to bypass MFA, but you can enforce it outside trusted locations. So basically the same scenario with different approach. However, in this approach MFA must only be enabled for users, not enforced.

I don't think that this is right. According to the document linked above ...

 

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/quickstart-configure-name...

 

you can create a named location with 1200 ip ranges, and then mark it as trusted. Then you can use this in an exclude on a CA policy that mandates the use of MFA.

 

All that said, if you have AAD P2 the AzureAD Identity Protection feature is better, it learns the patterns of users and determines login risk, use it to only requireMFA when the risk is medium or above and your users will be unlikely to eer see a prompt, but rogue login attempt will be thwarted.

Related Conversations
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies