SOLVED

Skip MFA for a single public IP

%3CLINGO-SUB%20id%3D%22lingo-sub-1428048%22%20slang%3D%22en-US%22%3ERe%3A%20Skip%20MFA%20for%20a%20single%20public%20IP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1428048%22%20slang%3D%22en-US%22%3E%3CP%3EGenerally%20you%20can%20complete%20this%20within%20the%20CA%20policy%2C%20its%20one%20of%20the%20conditions.%3C%2FP%3E%3CP%3EYou%20can%20either%20specify%20a%20Named%20Location%20or%20just%20use%20the%20MFA%20Trusted%20IP%20list.%3C%2FP%3E%3CP%3EAlso%2C%20would%20suggest%20configuring%20locations.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECA%20Policy%20-%26gt%3B%20Conditions%20-%26gt%3B%20Locations%20-%26gt%3B%20Configure%20%22Yes%22%20-%26gt%3B%20Include%20%22Selected%20Locations%22%2FTrusted%20Locations%22%3CBR%20%2F%3E%3CBR%20%2F%3EDepending%20on%20licensing%20requirements%20and%20capabilities%2C%20if%20Azure%20P1%20is%20accessible%2C%20would%20suggest%20going%20down%20the%20path%20of%20Azure%20MFA%20opposed%20to%20the%20so%20called%20O365%20MFA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1427716%22%20slang%3D%22en-US%22%3ESkip%20MFA%20for%20a%20single%20public%20IP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1427716%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20to%20skip%20MFA%20from%20one%20of%20our%20Remote%20App%20servers%20on%20our%20network.%20I%20will%20create%20a%20NAT%20for%20all%20inbound%20and%20outbound%20traffic%20for%20the%20Remote%20App%20server%20to%20use%20a%20specific%20public%20IP%20address.%20I%20have%20added%20the%20public%20IP%20address%20with%20%2F32%20subnet%20in%20the%20multi-factor%20authentication%20service%20settings.%20Do%20I%20also%20need%20to%20setup%20a%20conditional%20access%20policy%20to%20bypass%20anything%20in%20this%20trusted%20ip%20section%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1427716%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Contributor

I want to skip MFA from one of our Remote App servers on our network. I will create a NAT for all inbound and outbound traffic for the Remote App server to use a specific public IP address. I have added the public IP address with /32 subnet in the multi-factor authentication service settings. Do I also need to setup a conditional access policy to bypass anything in this trusted ip section?

1 Reply
Highlighted
Best Response confirmed by MagicMarker (Occasional Contributor)
Solution

Generally you can complete this within the CA policy, its one of the conditions.

You can either specify a Named Location or just use the MFA Trusted IP list.

Also, would suggest configuring locations.

 

CA Policy -> Conditions -> Locations -> Configure "Yes" -> Include "Selected Locations"/Trusted Locations"

Depending on licensing requirements and capabilities, if Azure P1 is accessible, would suggest going down the path of Azure MFA opposed to the so called O365 MFA.