MFA Enforced for O365Global admins - Trusted IPs bypass not working for Azure MFA server on-premise

%3CLINGO-SUB%20id%3D%22lingo-sub-163747%22%20slang%3D%22en-US%22%3EMFA%20Enforced%20for%20O365Global%20admins%20-%20Trusted%20IPs%20bypass%20not%20working%20for%20Azure%20MFA%20server%20on-premise%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-163747%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20Azure%20MFA%20server%20on-premises%26nbsp%3B%20and%20enforced%20MFA%20for%20all%20global%20admins%20(federated%20and%20cloud%20users).%20Now%20we%20would%20like%20to%20enable%20Trusted%20IPs%20to%20bypass%20MFA%26nbsp%3Bfor%20some%20IP%20ranges.%20So%20configured%20the%20Trusted%20IPs%20in%20the%20cloud.%20Looks%20like%20the%20trusted%20IPs%20bypass%20is%20not%20working%20for%20Azure%20MFA%20server'%20users%20(federated%20users%20who%20use%20Azure%20MFA%20on-premise).%20However%20works%20for%20cloud%20user%20who%20use%20Azure%20MFA%20online.%26nbsp%3B%20Any%20solution%20to%20get%20this%20working%20for%20both%20federated%20and%20cloud%20users.%20Evaluated%20conditional%20access%20policy%2C%20but%20enforcing%20MFA%20meets%20the%20requirement%20as%20we%20would%20like%20to%20ensure%20the%20admins%20use%20approved%20clients%20and%20PowerShell%20modules%20with%20no%20app%20passwords%20to%20connect%20to%20O365%20services.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-163747%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-164900%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20Enforced%20for%20O365Global%20admins%20-%20Trusted%20IPs%20bypass%20not%20working%20for%20Azure%20MFA%20server%20on-pre%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-164900%22%20slang%3D%22en-US%22%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-163959%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20Enforced%20for%20O365Global%20admins%20-%20Trusted%20IPs%20bypass%20not%20working%20for%20Azure%20MFA%20server%20on-pre%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-163959%22%20slang%3D%22en-US%22%3E%3CP%3ETrusted%20IPs%20only%20apply%20to%20Azure%20MFA%2C%20not%20the%20MFA%20server.%20There's%20a%20similar%20option%20in%20the%20MFA%20server%20settings%20on-premises%2C%20but%20it%20only%20applies%20to%20the%20User%20portal%2C%20afaik.%20You%20can%20easily%20configure%20bypass%20via%20the%20AD%20FS%20claims%20rules%20though%2C%20or%20simply%20enforce%20MFA%20only%20when%20the%20request%20is%20coming%20from%20the%20WAP%20server%20(externally).%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We have Azure MFA server on-premises  and enforced MFA for all global admins (federated and cloud users). Now we would like to enable Trusted IPs to bypass MFA for some IP ranges. So configured the Trusted IPs in the cloud. Looks like the trusted IPs bypass is not working for Azure MFA server' users (federated users who use Azure MFA on-premise). However works for cloud user who use Azure MFA online.  Any solution to get this working for both federated and cloud users. Evaluated conditional access policy, but enforcing MFA meets the requirement as we would like to ensure the admins use approved clients and PowerShell modules with no app passwords to connect to O365 services.

 

Thanks.

2 Replies
Highlighted

Trusted IPs only apply to Azure MFA, not the MFA server. There's a similar option in the MFA server settings on-premises, but it only applies to the User portal, afaik. You can easily configure bypass via the AD FS claims rules though, or simply enforce MFA only when the request is coming from the WAP server (externally).