MFA and MDM

%3CLINGO-SUB%20id%3D%22lingo-sub-354710%22%20slang%3D%22en-US%22%3EMFA%20and%20MDM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-354710%22%20slang%3D%22en-US%22%3E%3CP%3ELooking%20for%20advice.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20enable%20MFA%20for%20all%20staff%20with%20the%20condition%20that%20they%20are%20only%20prompted%20for%20the%20second%20authenticator%20when%20they%20are%20outside%20of%20the%20office.%20For%20this%20to%20happen%20am%20i%20right%20in%20believing%20we%20would%20need%20to%20be%20on%20version%202016%20of%20ADFS%20at%20the%20very%20least%3F%20We%20also%20want%20them%20to%20be%20able%20to%20choose%20between%20the%20APP%20and%20SMS%20%5C%20Voice.%20(I%60ve%20already%20posted%20earlier%20today%20about%20the%20issue%20of%20multiple%20SMS%20being%20received%20when%20firing%20up%20my%20laptop%2C%20Skype%2C%20Sharepoint%2C%20Teams%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20also%20like%20the%20couple%20this%20with%20MDM%2C%20in%20particular%20for%20on-premise%20AD%20accounts%20with%20non-domain%20joined%20machines.%20These%20are%20external%203rd%20contractors%20carrying%20out%20work%20on%20the%20behalf%20of%20my%20company.%20I%20want%20to%20be%20able%20to%20manage%20%5C%20limit%20what%20those%20machines%20can%20access%20in%20Azure%2C%20but%20I%20am%20struggling%20to%20find%20information%20on%20anything%20that%20is%20not%20domain%20joined.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-354710%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%20%26amp%3B%20Compliance%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-355304%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20and%20MDM%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-355304%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Foverview%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EConditional%20Access%20Policy%3C%2FA%3Eto%20enable%20the%20second%20factor%20when%20outside%20%22%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Funtrusted-networks%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ETrusted%20Locations%3C%2FA%3E%22.%3CBR%20%2F%3EIf%20you%20are%20using%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfaserver-adfs-2012%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EADFS%20with%20Azure%20MFA%3C%2FA%3E%2C%20the%20trusted%20location's%20should%20work%20as%20expected%20and%20only%20apply%20the%20factor%20when%20connecting%20from%20%22Unknown%20Networks%22.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EIn%20regards%20to%20restricting%20Non-Domain%20Joined%20devices%20to%20resources%20in%20Azure%2C%20you%20can%20use%20the%20Conditional%20Access%20Policy%20to%20only%20allow%20%22Hybrid%20Azure%20Joined%20device%22%20to%20access%20the%20Services.%20When%20the%203rd%20part%20contractor%20tries%20to%20access%20the%20resource%20with%20his%2Fhers%20Non%20Domain%20Joined%20device%2C%20it%20will%20be%20restricted.%3C%2FP%3E%3CH6%20id%3D%22toc-hId-891899808%22%20id%3D%22toc-hId-1031408243%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhybrid-azuread-join-federated-domains%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20hybrid%20Azure%20Active%20Directory%20join%20for%20federated%20domains%3C%2FA%3E%3C%2FH6%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Multiple%20SMS%20issue%2C%20change%20your%20MFA%20preference%20to%20use%20Authenticator%20App%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fmfasetup%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Faka.ms%2Fmfasetup%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

Looking for advice.

 

I want to enable MFA for all staff with the condition that they are only prompted for the second authenticator when they are outside of the office. For this to happen am i right in believing we would need to be on version 2016 of ADFS at the very least? We also want them to be able to choose between the APP and SMS \ Voice. (I`ve already posted earlier today about the issue of multiple SMS being received when firing up my laptop, Skype, Sharepoint, Teams etc.

 

I would also like the couple this with MDM, in particular for on-premise AD accounts with non-domain joined machines. These are external 3rd contractors carrying out work on the behalf of my company. I want to be able to manage \ limit what those machines can access in Azure, but I am struggling to find information on anything that is not domain joined.  

1 Reply

Hi,

 

You can use Conditional Access Policy to enable the second factor when outside "Trusted Locations".
If you are using ADFS with Azure MFA, the trusted location's should work as expected and only apply the factor when connecting from "Unknown Networks".

In regards to restricting Non-Domain Joined devices to resources in Azure, you can use the Conditional Access Policy to only allow "Hybrid Azure Joined device" to access the Services. When the 3rd part contractor tries to access the resource with his/hers Non Domain Joined device, it will be restricted.

Configure hybrid Azure Active Directory join for federated domains

 

The Multiple SMS issue, change your MFA preference to use Authenticator App

http://aka.ms/mfasetup