SOLVED

ADFS + Cloud MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-82363%22%20slang%3D%22en-US%22%3EADFS%20%2B%20Cloud%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-82363%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20working%20with%20a%20client%20that%20has%20ADFS%20and%20Cloud%20MFA%20enabled.%20%26nbsp%3BWe%20noticed%20that%20MFA%20challenges%20are%20only%20occurring%20for%20users%20going%20through%20the%20WAP%20and%20not%20the%20ADFS%20server%20directly.%26nbsp%3B%20In%20other%20words%2C%20if%20they're%20on%20the%20corporate%20network%20or%20VPN%2C%20MFA%20challenges%20are%20by-passed%20completely.%26nbsp%3B%20Now%20access%20through%20the%20WAP%20I%20think%20uses%20FBA%20while%20access%20from%20the%20corporate%20network%20uses%20Windows%20Integrated%20Auth.%26nbsp%3B%20Does%20anyone%20know%20why%20only%20off-network%20users%20are%20being%20challenged%20by%20MFA%3F%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-82363%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-82530%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20%2B%20Cloud%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-82530%22%20slang%3D%22en-US%22%3E%3CP%3EThanks.%26nbsp%3B%20IP%20ranges%20were%20tripping%20me%20up.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-82514%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20%2B%20Cloud%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-82514%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20either%20have%20added%20your%20internal%20network%20as%20Trusted%20location%20in%20the%20Azure%20MFA%20admin%20panel%2C%20or%20are%20sending%20the%20%22bypass%22%20claim%20with%20requests%20coming%20from%20internal%20sources.%20WIA%20or%20FBA%20make%20no%20difference%20here%2C%20you%20can%20force%20MFA%20challenge%20for%20any%20form%20of%20primary%20authentication.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Michael Weber
New Contributor

I'm working with a client that has ADFS and Cloud MFA enabled.  We noticed that MFA challenges are only occurring for users going through the WAP and not the ADFS server directly.  In other words, if they're on the corporate network or VPN, MFA challenges are by-passed completely.  Now access through the WAP I think uses FBA while access from the corporate network uses Windows Integrated Auth.  Does anyone know why only off-network users are being challenged by MFA?  

2 Replies
Solution

You either have added your internal network as Trusted location in the Azure MFA admin panel, or are sending the "bypass" claim with requests coming from internal sources. WIA or FBA make no difference here, you can force MFA challenge for any form of primary authentication.

Thanks.  IP ranges were tripping me up.