MFA using Conditional Access VS Additional cloud-based MFA settings

%3CLINGO-SUB%20id%3D%22lingo-sub-1407647%22%20slang%3D%22en-US%22%3EMFA%20using%20Conditional%20Access%20VS%20Additional%20cloud-based%20MFA%20settings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407647%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20current%20have%20some%20IP%20Address%20Range%20exception%20and%2014%20days%20browser%20saving%20enabled%20in%20the%20%22Additional%20cloud-based%20MDA%20Settings%22%20will%20these%20setting%20work%20in%20combination%20with%20Conditional%20Access%20Policy%3F%20or%20will%20a%20CA%20Policy%20take%20precedence%20over%20these%20settings%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1407647%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1407702%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20using%20Conditional%20Access%20VS%20Additional%20cloud-based%20MFA%20settings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407702%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F91180%22%20target%3D%22_blank%22%3E%40Alan%20Burchill%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20the%20Conditional%20Access%20portal%20allows%20you%20to%20browse%20to%20the%20Configure%20MFA%20trusted%20IP's%20as%20shown%20below%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202020-05-21%20at%2008.06.18.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F193482i6745BC042DFD324E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Screenshot%202020-05-21%20at%2008.06.18.png%22%20alt%3D%22Screenshot%202020-05-21%20at%2008.06.18.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESelecting%20this%20takes%20you%20to%20the%20MFA%20service%20settings%20shown%20below.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202020-05-21%20at%2008.10.20.png%22%20style%3D%22width%3A%20638px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F193483iF91D4F5133C8D71D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Screenshot%202020-05-21%20at%2008.10.20.png%22%20alt%3D%22Screenshot%202020-05-21%20at%2008.10.20.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20you%20should%20have%20no%20issue%20with%20this.%20%26nbsp%3BConditional%20Access%20policies%20to%20enforce%20MFA%20will%20take%20effect%20even%20if%20the%20user%20has%20not%20been%20set%20to%20enabled%20for%20MFA%2C%20which%20is%20what%20CA%20is%20all%20about%20and%20how%20you%20want%20it%20to%20work.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20verification%20options%20and%20remember%20MFA%20options%20that%20you%20set%20should%20work%20just%20fine%20in%20conjunction%20with%20CA%20though.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1407708%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20using%20Conditional%20Access%20VS%20Additional%20cloud-based%20MFA%20settings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407708%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20want%20the%20IP%20range%20exclusion%20to%20take%20effect%2C%20you%20need%20to%20add%20%22all%20trusted%20locations%22%20condition%20to%20your%20CA%20policy%2C%20or%20at%20least%20the%20%22MFA%20trusted%20IPs%22%20location.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1407740%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20using%20Conditional%20Access%20VS%20Additional%20cloud-based%20MFA%20settings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407740%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAbsolutely%20yes.%20%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F91180%22%20target%3D%22_blank%22%3E%40Alan%20Burchill%3C%2FA%3E%26nbsp%3B-%20this%20can%20be%20set%20within%20the%20CA%20policy%20as%20shown%20below%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202020-05-21%20at%2008.27.53.png%22%20style%3D%22width%3A%20985px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F193486i85F91BA75BE476B8%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Screenshot%202020-05-21%20at%2008.27.53.png%22%20alt%3D%22Screenshot%202020-05-21%20at%2008.27.53.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1407756%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20using%20Conditional%20Access%20VS%20Additional%20cloud-based%20MFA%20settings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407756%22%20slang%3D%22en-US%22%3EJust%20to%20clarify%2C%20i%20know%20i%20can%20use%20IP%20address%20range%20and%20location%20in%20both...%20But%20if%20i%20have%20an%20IP%20address%20range%20configured...%20Are%20the%20settings%20additve%3F%20Or%20will%20it%20ignore%20the%20MFA%20server%20settings%20if%20a%20CA%20policy%20is%20applied%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1407782%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20using%20Conditional%20Access%20VS%20Additional%20cloud-based%20MFA%20settings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407782%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F91180%22%20target%3D%22_blank%22%3E%40Alan%20Burchill%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20far%20as%20I%20know%2C%20if%20you%20don't%20select%20locations%20options%20within%20the%20policy%2C%20it%20will%20use%20the%20settings%20defined%20in%20the%20standard%20MFA%20settings.%20%26nbsp%3BIf%20you%20define%20locations%20within%20the%20policy%2C%20the%20standard%20settings%20become%20irrelevant.%20%26nbsp%3BThat%20is%20my%20understanding.%20%26nbsp%3BAdmittedly%20though%2C%20I%20have%20never%20tested%20this%20exact%20scenario.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1416205%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20using%20Conditional%20Access%20VS%20Additional%20cloud-based%20MFA%20settings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1416205%22%20slang%3D%22en-US%22%3EYes%20these%202%20settings%20are%20additive.%20In%20the%20sense%20that%20most%20restrictive%20setting%20wins.%20If%20both%20allow%2C%20then%20MFA%20not%20needed.%20Hope%20this%20makes%20sense.%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%2C%20basic%20MFA%20setting%20applies%20at%20tenant%20level%2C%20so%20be%20careful%20not%20to%20lock%20yourself%20out%20while%20testing%20it.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1416851%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20using%20Conditional%20Access%20VS%20Additional%20cloud-based%20MFA%20settings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1416851%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20got%20any%20reference%20that%20confirm%20that....%20it%20would%20be%20helpful%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We current have some IP Address Range exception and 14 days browser saving enabled in the "Additional cloud-based MDA Settings" will these setting work in combination with Conditional Access Policy? or will a CA Policy take precedence over these settings?

 

Alan

7 Replies
Highlighted

@Alan Burchill 

 

Hi, the Conditional Access portal allows you to browse to the Configure MFA trusted IP's as shown below;

 

Screenshot 2020-05-21 at 08.06.18.png

 

Selecting this takes you to the MFA service settings shown below.

 

Screenshot 2020-05-21 at 08.10.20.png

 

So you should have no issue with this.  Conditional Access policies to enforce MFA will take effect even if the user has not been set to enabled for MFA, which is what CA is all about and how you want it to work.  

 

The verification options and remember MFA options that you set should work just fine in conjunction with CA though.

Highlighted

If you want the IP range exclusion to take effect, you need to add "all trusted locations" condition to your CA policy, or at least the "MFA trusted IPs" location.

Highlighted

@Vasil Michev 

 

Absolutely yes.  @Alan Burchill - this can be set within the CA policy as shown below;

 

Screenshot 2020-05-21 at 08.27.53.png

Highlighted
Just to clarify, i know i can use IP address range and location in both... But if i have an IP address range configured... Are the settings additve? Or will it ignore the MFA server settings if a CA policy is applied?
Highlighted

@Alan Burchill 

 

As far as I know, if you don't select locations options within the policy, it will use the settings defined in the standard MFA settings.  If you define locations within the policy, the standard settings become irrelevant.  That is my understanding.  Admittedly though, I have never tested this exact scenario.

Highlighted
Yes these 2 settings are additive. In the sense that most restrictive setting wins. If both allow, then MFA not needed. Hope this makes sense.

Also, basic MFA setting applies at tenant level, so be careful not to lock yourself out while testing it.
Highlighted

Thanks, got any reference that confirm that.... it would be helpful