Home

Require MFA OR Intune Enrollment/compliance when Outside the Trusted IP Range

%3CLINGO-SUB%20id%3D%22lingo-sub-88198%22%20slang%3D%22en-US%22%3ERequire%20MFA%20OR%20Intune%20Enrollment%2Fcompliance%20when%20Outside%20the%20Trusted%20IP%20Range%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-88198%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20company%20is%20currently%20piloting%20MFA%20and%20we%20have%20recently%20deployed%20Intune%20for%20corporate%20Mobile%20devices.%20%26nbsp%3BWe%20have%20our%20MFA%20setup%20so%20it%20only%20requires%202%20step%20verification%20when%20a%20device%20is%20outside%20the%20corporate%20network.%20%26nbsp%3BWe%20would%20like%20to%20require%20either%20MFA%20OR%20Intune%20enrollment%20on%20mobile%20devices%20when%20they%20are%20outside%20teh%20corp.%20network.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20testing%20a%20conditonal%20access%20policy%20to%20accomplish%20this%20but%20it%20is%20still%20asking%20for%202%20step%20verification%20even%20though%20my%20test%20mobile%20device%20is%20enrolled%20and%20compliant%20with%20intune.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnder%20Access%20controls%2C%20i've%20selected%20grant%20access%2C%20require%20mfa%2C%20require%20device%20to%20be%20marked%20as%20complaint%2C%20and%20require%20ONE%20of%20the%20selected%20controls%20(preview)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20seen%20this%20issue%20before%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-88198%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-276598%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20MFA%20OR%20Intune%20Enrollment%2Fcompliance%20when%20Outside%20the%20Trusted%20IP%20Range%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-276598%22%20slang%3D%22en-US%22%3EJames%2C%3CBR%20%2F%3E%3CBR%20%2F%3EDid%20you%20figure%20out%20your%20issue%3F%3CBR%20%2F%3EWe%20had%20the%20issue%2C%20but%20that%E2%80%99s%20because%20we%20were%20using%20MFA%20via%20our%20office%20365%20and%20not%20though%20intune.%20Disabled%20O365%20MFA%20and%20added%20it%20to%20Intune.%20That%20corrected%20it%20for%20us.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-184142%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20MFA%20OR%20Intune%20Enrollment%2Fcompliance%20when%20Outside%20the%20Trusted%20IP%20Range%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-184142%22%20slang%3D%22en-US%22%3E%3CP%3EOmar%2C%20any%20chance%20you%20found%20a%20solution%20to%20not%20force%20MFA%20for%20compliant%20devices%3F%26nbsp%3B%20I%20too%20have%20the%20same%20requirements%2C%20where%20we%20do%20not%20want%20to%20prompt%20for%20MFA%20when%20using%20a%20device%20that%20is%20%22compliant%22.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20seems%20the%20conditional%20access%20policies%20simply%20do%20not%20work%2C%20at%20least%20in%20my%20experience.%26nbsp%3B%20I've%20configured%20a%20policy%20to%20require%20a%20device%20to%20be%20compliant%2C%20I%20can%20see%20the%20device%20is%20marked%20YES%20for%20compliant%20in%20Azure%20AD.%26nbsp%3B%20However%2C%20when%20using%20the%20same%20device%20to%20access%20to%20applications%20defined%20in%20the%20policy%2C%20I%20get%20he%20sorry%2C%20you%20can%20only%20access%20from%20%22Devices%20or%20client%20applications%20that%20meet%20management%20compliance%20policy.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-89317%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20MFA%20OR%20Intune%20Enrollment%2Fcompliance%20when%20Outside%20the%20Trusted%20IP%20Range%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-89317%22%20slang%3D%22en-US%22%3E%3CP%3EI%20do%20not%20want%20to%20assume.%20Are%20you%20testing%20this%20on%20the%20corp%20network%20or%20off%3F%20If%20off%2C%20this%20is%20more%20than%20likely%20by%20design%20as%20MFA%20is%20designed%20to%20be%20used%20for%20each%20login%20attempt%20unless%26nbsp%3Bon%20a%20trusted%20network.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-88505%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20MFA%20OR%20Intune%20Enrollment%2Fcompliance%20when%20Outside%20the%20Trusted%20IP%20Range%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-88505%22%20slang%3D%22en-US%22%3E%3CP%3ENo%20ADFS%2C%20just%20have%20AD%20Connect%20syncing%20from%20On-prem%20to%20Azure%20AD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-88474%22%20slang%3D%22en-US%22%3ERe%3A%20Require%20MFA%20OR%20Intune%20Enrollment%2Fcompliance%20when%20Outside%20the%20Trusted%20IP%20Range%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-88474%22%20slang%3D%22en-US%22%3E%3CP%3Edo%20you%20use%20AD%20FS%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

My company is currently piloting MFA and we have recently deployed Intune for corporate Mobile devices.  We have our MFA setup so it only requires 2 step verification when a device is outside the corporate network.  We would like to require either MFA OR Intune enrollment on mobile devices when they are outside teh corp. network.

 

I am testing a conditonal access policy to accomplish this but it is still asking for 2 step verification even though my test mobile device is enrolled and compliant with intune.

 

Under Access controls, i've selected grant access, require mfa, require device to be marked as complaint, and require ONE of the selected controls (preview)

 

Has anyone seen this issue before?

5 Replies

No ADFS, just have AD Connect syncing from On-prem to Azure AD.

I do not want to assume. Are you testing this on the corp network or off? If off, this is more than likely by design as MFA is designed to be used for each login attempt unless on a trusted network.

Omar, any chance you found a solution to not force MFA for compliant devices?  I too have the same requirements, where we do not want to prompt for MFA when using a device that is "compliant". 

 

It seems the conditional access policies simply do not work, at least in my experience.  I've configured a policy to require a device to be compliant, I can see the device is marked YES for compliant in Azure AD.  However, when using the same device to access to applications defined in the policy, I get he sorry, you can only access from "Devices or client applications that meet management compliance policy."

 

 

James,

Did you figure out your issue?
We had the issue, but that’s because we were using MFA via our office 365 and not though intune. Disabled O365 MFA and added it to Intune. That corrected it for us.
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies