Azure MFA (through Conditional Access) with MFA Trusted IPs - Expected Behaviour?

%3CLINGO-SUB%20id%3D%22lingo-sub-3264479%22%20slang%3D%22en-US%22%3EAzure%20MFA%20(through%20Conditional%20Access)%20with%20MFA%20Trusted%20IPs%20-%20Expected%20Behaviour%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3264479%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20recently%20enabled%20MFA%20within%20my%20organisation%2C%20but%20excluded%20the%20MFA%20Trusted%20IP%20ranges%2C%20that%20excludes%20both%20the%20private%20IP%20subnets%20on%20the%20local%20network%20and%20the%20public%20IP%20of%20the%20org.%26nbsp%3B%20So%20far%2C%20so%20good.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20enrolling%2C%20users%20are%20then%20no%20longer%20prompted%20for%20MFA%20on%20that%20device%20-%20but%20if%2C%20for%20example%2C%20I%20open%20an%20in-private%20tab%20in%20Edge%20and%20try%20to%20log%20into%20office.com%20I%20%3CEM%3Eam%3C%2FEM%3E%20being%20prompted%20for%20MFA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20unexpected%2C%20because%20I'm%20logging%20in%20from%20a%20trusted%20IP%20-%20I%20wouldn't%20have%20expected%20to%20get%20a%20prompt%20for%20MFA%20on%20either%20an%20in-private%20login%20on%20a%20device%20I'm%20already%20logged%20into%2C%20or%20any%20other%20device%20onto%20which%20I'm%20logging%20in%20for%20the%20first%20time%20(from%20that%20trusted%20location).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20expected%20behaviour%2C%20or%20is%20there%20a%20problem%20with%20the%20way%20I've%20set%20up%20the%20MFA%20exclusion%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20a%20lot.%3C%2FP%3E%3CP%3ERobert%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3264479%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMFA%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3268028%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(through%20Conditional%20Access)%20with%20MFA%20Trusted%20IPs%20-%20Expected%20Behaviour%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3268028%22%20slang%3D%22en-US%22%3EHow%20is%20the%20windows%20sign%20in%20done%3F%20WHfB%3F%20To%20my%20opinion%20this%20is%20expected%20behavior%20in%20a%20inprivate%20mode.%3CBR%20%2F%3E%3CBR%20%2F%3ECan%20you%20check%20the%20Azure%20AD%20sign-in%20logs%20in%20the%20CA%20tab%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20never%20exclude%20corporate%20offices%2Fsubnets%20from%20MFA.%20I%20would%20always%20require%20MFA%20for%20all%20sign-ins.%20Try%20to%20migrate%20to%20Windows%20Hello%20for%20Business%20to%20make%20sign-ins%20protected%20by%20MFA%20and%20bring%20SSO%20to%20the%20next%20level.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3265493%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20(through%20Conditional%20Access)%20with%20MFA%20Trusted%20IPs%20-%20Expected%20Behaviour%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3265493%22%20slang%3D%22en-US%22%3EHave%20you%20checked%20if%20MFA%20is%20triggered%20by%20a%20CA%20policy%3F%20I%20normally%20look%20under%20sign-in%20logs.%20Do%20you%20have%20Identity%20protection%20policies%20configured%20by%20any%20chance%3F%20I%20recently%20blogged%20about%20it%20that%20may%20help%20here.%3CA%20href%3D%22https%3A%2F%2Frahuljindalmyit.blogspot.com%2F2022%2F03%2Fusing-conditional-access-to-enable.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frahuljindalmyit.blogspot.com%2F2022%2F03%2Fusing-conditional-access-to-enable.html%3C%2FA%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi there,

 

I've recently enabled MFA within my organisation, but excluded the MFA Trusted IP ranges, that excludes both the private IP subnets on the local network and the public IP of the org.  So far, so good.

 

After enrolling, users are then no longer prompted for MFA on that device - but if, for example, I open an in-private tab in Edge and try to log into office.com I am being prompted for MFA.

 

This is unexpected, because I'm logging in from a trusted IP - I wouldn't have expected to get a prompt for MFA on either an in-private login on a device I'm already logged into, or any other device onto which I'm logging in for the first time (from that trusted location).

 

Is this expected behaviour, or is there a problem with the way I've set up the MFA exclusion?

 

Thanks a lot.

Robert

2 Replies
Have you checked if MFA is triggered by a CA policy? I normally look under sign-in logs. Do you have Identity protection policies configured by any chance? I recently blogged about it that may help here.https://rahuljindalmyit.blogspot.com/2022/03/using-conditional-access-to-enable.html
How is the windows sign in done? WHfB? To my opinion this is expected behavior in a inprivate mode.

Can you check the Azure AD sign-in logs in the CA tab?

I would never exclude corporate offices/subnets from MFA. I would always require MFA for all sign-ins. Try to migrate to Windows Hello for Business to make sign-ins protected by MFA and bring SSO to the next level.