cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure MFA (through Conditional Access) with MFA Trusted IPs - Expected Behaviour?

kidtrebor
Copper Contributor

‎Mar 23 2022 02:59 AM

‎Mar 23 2022 02:59 AM

Azure MFA (through Conditional Access) with MFA Trusted IPs - Expected Behaviour?

Hi there,

 

I've recently enabled MFA within my organisation, but excluded the MFA Trusted IP ranges, that excludes both the private IP subnets on the local network and the public IP of the org.  So far, so good.

 

After enrolling, users are then no longer prompted for MFA on that device - but if, for example, I open an in-private tab in Edge and try to log into office.com I am being prompted for MFA.

 

This is unexpected, because I'm logging in from a trusted IP - I wouldn't have expected to get a prompt for MFA on either an in-private login on a device I'm already logged into, or any other device onto which I'm logging in for the first time (from that trusted location).

 

Is this expected behaviour, or is there a problem with the way I've set up the MFA exclusion?

 

Thanks a lot.

Robert

Labels:
1,395 Views
0 Likes
2 Replies
Reply
2 Replies
rahuljindal-MVP

‎Mar 24 2022 12:03 AM

‎Mar 24 2022 12:03 AM

Re: Azure MFA (through Conditional Access) with MFA Trusted IPs - Expected Behaviour?

Have you checked if MFA is triggered by a CA policy? I normally look under sign-in logs. Do you have Identity protection policies configured by any chance? I recently blogged about it that may help here.https://rahuljindalmyit.blogspot.com/2022/03/using-conditional-access-to-enable.html
0 Likes
Reply
joeyvldn

‎Mar 27 2022 07:00 AM

‎Mar 27 2022 07:00 AM

Re: Azure MFA (through Conditional Access) with MFA Trusted IPs - Expected Behaviour?

How is the windows sign in done? WHfB? To my opinion this is expected behavior in a inprivate mode.

Can you check the Azure AD sign-in logs in the CA tab?

I would never exclude corporate offices/subnets from MFA. I would always require MFA for all sign-ins. Try to migrate to Windows Hello for Business to make sign-ins protected by MFA and bring SSO to the next level.
0 Likes
Reply