Home

Azure MFA for specific Office 356 services.

%3CLINGO-SUB%20id%3D%22lingo-sub-1999%22%20slang%3D%22en-US%22%3EAzure%20MFA%20for%20specific%20Office%20356%20services.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1999%22%20slang%3D%22en-US%22%3E%3CP%3EHello!%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20enable%20Azure%20MFA%20for%20particulat%20SharePoint%20Online%20site%20collections%3F%20But%20other%20Office%20365%20should%20not%20use%20it.%26nbsp%3B%20ADFS%20is%20in%20place.%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1999%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-16638%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20MFA%20for%20specific%20Office%20356%20services.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-16638%22%20slang%3D%22en-US%22%3EWith%20Azure%20AD%20you%20cant%20control%20access%20to%20a%20subset%20of%20SharePoint%20but%20can%20have%20unique%20policy%20for%20SharePoint%20vs%20Exchange%20for%20example.%20If%20you%20need%20deeper%20access%20controls%20inside%20of%20apps%20then%20you%20would%20need%20to%20look%20into%20Cloud%20App%20Security.%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fcloud-platform%2Fcloud-app-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fcloud-platform%2Fcloud-app-security%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-15460%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20for%20specific%20Office%20356%20services.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-15460%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20MFA%20is%20a%20AD%20Premium%20feature%2C%20so%20indeed%20requires%20a%20license.%3C%2FP%3E%3CP%3EWhen%20combined%20with%20the%20link%20Vishal%20shared%20you%20can%20activate%20MFA%20if%20loggin%20on%20the%20SharePoint.%3C%2FP%3E%3CP%3EYou%20can%20add%20your%20company's%20external%20IPs%20as%20trusted%2C%20so%20they%20will%20not%20require%20MFA%20to%20login.%3C%2FP%3E%3CP%3EAll%20other%20public%20IP%20networks%20require%20MFA%20to%20login%20for%20SharePoint.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20also%20possible%20if%20you%20have%20ADFS%20with%20the%20MFA%20server%20installed%20to%20configure%20the%20Conditional%20Access%20for%20SharePoint%2C%20so%20Azure%20will%20notify%20ADFS%20that%20is%20should%20have%20a%20second%20factor%20auth%20for%20login.%3C%2FP%3E%3CP%3EOn%20ADFS%20side%20you%20cannot%20differentiate%20on%20the%20O365%20relying%20party%20between%20Exchange%20or%20SharePoint%20or%20other%20services%20as%20Microsoft%20just%20sends%20the%20information%20you%20are%20trying%20to%20login%20to%20%22Microsoft%20Online%22%2C%20so%20this%20has%20to%20be%20configured%20at%20the%20Azure%20side.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-6826%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20for%20specific%20Office%20356%20services.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-6826%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20any%20news%20on%20forcing%20externals%20to%20use%20MFA%20when%20they%20will%20access%20externally%20shared%20sites%3F%20Right%20now%20the%20challenge%20is%20we%20cannot%20enforce%20MFA%20on%20external%20users%20and%20MFA%20can%20be%20enabled%20only%20for%20licensed%20users.%3C%2FP%3E%3CP%3EAzure%20B2B%20is%20in%20public%20preview%20but%20I%20am%20assuming%20that%20this%20capability%20will%20be%20available%20as%20part%20of%20Azure%20B2B%20GA.%20So%20question%20mark%20is%20if%20it%20will%20be%20then%20will%20it%20also%20be%20applicable%20when%20Azure%20B2B%20is%20not%20used%20and%20only%20external%20sharing%20feature%20is%20used%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2100%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20for%20specific%20Office%20356%20services.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2100%22%20slang%3D%22en-US%22%3ENot%20yet%2C%20but%20there%20are%20some%20changes%20that%20allow%20us%20to%20configure%20conditional%20access%20via%20MFA%3A%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F2016%2F06%2F23%2Fazuread-conditional-access-for-office365-exchange-sharepoint-in-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F2016%2F06%2F23%2Fazuread-conditional-access-for-office365-exchange-sharepoint-in-preview%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20maybe%20in%20the%20future%20we%20will%20have%20this%20flexibility%20even%20on%20the%20SC%20level%3F%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E
Ruslan Husainov
Established Member

Hello!

Is it possible to enable Azure MFA for particulat SharePoint Online site collections? But other Office 365 should not use it.  ADFS is in place.

Thanks!

4 Replies
Not yet, but there are some changes that allow us to configure conditional access via MFA: https://blogs.technet.microsoft.com/enterprisemobility/2016/06/23/azuread-conditional-access-for-off...

So maybe in the future we will have this flexibility even on the SC level? :)

Is there any news on forcing externals to use MFA when they will access externally shared sites? Right now the challenge is we cannot enforce MFA on external users and MFA can be enabled only for licensed users.

Azure B2B is in public preview but I am assuming that this capability will be available as part of Azure B2B GA. So question mark is if it will be then will it also be applicable when Azure B2B is not used and only external sharing feature is used?

Azure MFA is a AD Premium feature, so indeed requires a license.

When combined with the link Vishal shared you can activate MFA if loggin on the SharePoint.

You can add your company's external IPs as trusted, so they will not require MFA to login.

All other public IP networks require MFA to login for SharePoint.

 

It is also possible if you have ADFS with the MFA server installed to configure the Conditional Access for SharePoint, so Azure will notify ADFS that is should have a second factor auth for login.

On ADFS side you cannot differentiate on the O365 relying party between Exchange or SharePoint or other services as Microsoft just sends the information you are trying to login to "Microsoft Online", so this has to be configured at the Azure side.

With Azure AD you cant control access to a subset of SharePoint but can have unique policy for SharePoint vs Exchange for example. If you need deeper access controls inside of apps then you would need to look into Cloud App Security. https://www.microsoft.com/en-us/cloud-platform/cloud-app-security
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
50 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
32 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
15 Replies
Dev channel update to 80.0.355.1 is live
josh_bodner in Discussions on
67 Replies