Jun 25 2024 03:49 AM
Hi all,
I have a VM in Azure where I need to allow an account with MFA to bypass the requirement on this specific server when using Office 365. I've tried to achieve this using Conditional Access by excluding locations, specifically the IP range of my Azure environment. Although I’ve disconnected any public IPs from this server, the Conditional Access policy still isn’t working as intended. The issue seems to be that it continues to detect a public IP, which changes frequently, making it impossible to exclude. What am I doing wrong?
Jun 25 2024 11:01 PM
Hi @AB21805,
It sounds like you're experiencing difficulties with configuring Conditional Access policies to allow MFA bypass for an Azure VM due to dynamic public IP detection. Here’s a structured approach to troubleshoot and resolve this issue.
Ensure that your VM is configured correctly with respect to its networking setup.
Consider using Azure Bastion or a private endpoint to securely access your VM without needing a public IP.
If you must use a public IP, consider assigning a static public IP to the VM to ensure consistency for Conditional Access rules.
Step-by-Step Configuration:
Sign in to the Azure portal:
Create a new Conditional Access policy:
Assignments:
Conditions:
Access controls:
Enable Policy:
Save the policy.
To determine the public IP address seen by Office 365 from the VM:
If a dynamic IP is unavoidable, consider:
Defining Named Locations:
Navigate to Azure Active Directory > Security > Conditional Access > Named locations.
Add a new location:
Use this Named Location in your Conditional Access policy as described above.
By following these steps, you should be able to configure Conditional Access policies that effectively bypass MFA requirements for Office 365 on your specific Azure VM. Ensure the VM network setup is correctly configured and consider using static IPs or VPNs for consistency.
Jun 26 2024 12:24 AM
Hi @DTB
1. Where do I check the NAT for a public IP, the VM itself and the NiC do not have one
2. I am currently usinf Bastian, RDP is disabled
3. I dont want to us a public IP at all but it keeps flagging up with the Conditional Access I am unable to use its private static IP for some reason - the conditional access policy always favours the public IP
4. Where do I find the IP range for azure region ?
5. Yes this changes all the time with random IPs
6. Would VPN stop it using the Public IP? Does using the whole range for azure environment fix this? Where so I find the range for whole environment is it the virtual network gateway?
Jun 26 2024 12:37 AM
Hi @AB21805,
Let's address each of your points step-by-step to help you resolve the issues with Conditional Access and public IP detection.
To check if there is any NAT (Network Address Translation) affecting your VM, you can:
Since you are using Azure Bastion, which provides secure RDP and SSH access to VMs without exposing public IPs, this setup should not involve public IPs for direct VM access. Ensure no other services or configurations are inadvertently exposing public IPs.
To avoid using public IPs and ensure Conditional Access policies recognize the private static IP:
To find the IP range for your Azure region (e.g., East US):
The dynamic nature of IP addresses for Azure services means they can change frequently. Ensure your configurations are as flexible as possible:
Using a VPN can help ensure that your traffic is routed through a consistent private IP range:
Create a VPN Gateway:
Configure Point-to-Site VPN:
Connect to the VPN:
Define Named Locations:
Update Conditional Access Policy:
By implementing these steps, you should be able to configure your environment to ensure that Conditional Access policies correctly recognize and handle traffic from private IPs, avoiding the issues with dynamic public IPs.
I hope this helps!
Jun 26 2024 12:57 AM
Jun 26 2024 02:52 AM
Hi @DTB
If we were to go with a NAT gatway would this require higher SKU then what I currently got? - VpnGw1
If so what would the cost impact be on a VpnGw2 in comparison also does a NAT Gateway cost much?