cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

MFA - Exclusive user exempted from using MFA

tcboeira
Brass Contributor

‎Aug 11 2022 11:27 AM - last edited on ‎Feb 10 2023 02:29 PM by

‎Aug 11 2022 11:27 AM - last edited on ‎Feb 10 2023 02:29 PM by

MFA - Exclusive user exempted from using MFA

Hello good afternoon!

First of all, sorry if the language is not clear. I'm using an online translator to help me...

 

Well, I looked like, based a lot on what I saw in official courses but I think my reality puts an obstacle in the situation.

 

In my organization, the use of MFA is indispensable. However, there may be some users who should be excused from use when in the workplace. However, in this same place, there are other users who are not exempt from the use.

 

I used the Conditional Access policies but at some point I get lost. If I nominate the entire network as trusted for MFA, it will dispense with the use for everyone from the same location.

 

In addition, there is a routine that we have, which every day makes the MFA mandatory for all users.

 

Directly: What I want is to create a situation where in a given place a single user is exempted from MFA. And let the rest go on with normal life.

 

Is there any solution for this? Any directions in this direction?

 

Thank you very much for your help on this matter....

957 Views
0 Likes
4 Replies
Reply
4 Replies
Jonathan_Reed

‎Aug 12 2022 10:26 AM

‎Aug 12 2022 10:26 AM

Re: MFA - Exclusive user exempted from using MFA

Greetings,

In Conditional Access, you can set a policy to exclude certain users or groups based on their location.
You may need two policies: a baseline policy enforcing MFA generally across your tenant, and a secondary policy which excludes users based on their location.

0 Likes
Reply
Kidd_Ip

‎Aug 13 2022 08:58 PM

‎Aug 13 2022 08:58 PM

Re: MFA - Exclusive user exempted from using MFA

@tcboeira 

You can make sure more conditions to 'some excused users', say by Computer, Mobile object, user and group

0 Likes
Reply
tcboeira

‎Aug 16 2022 06:54 AM

‎Aug 16 2022 06:54 AM

Re: MFA - Exclusive user exempted from using MFA

Hello friends,
Very Good Morning!!!

Well, really, I confirm that the main action of Conditional Access rules is applied "from" a place "on" users. Even though we are apparently manipulating users.

In this way, I used the idea of ​​Jonathan_Reed as a starting point to build my solution. How I did:

1.1) I even created one, saying that of all users accessing from a location, accessing cloud applications, MFA is required, except those I don't want to use MFA.

1.2) For those who don't want to use MFA, I've disabled this setting;

2) A second rule - of guarantee - that users who don't use it don't use MFA can only log in from a single location.

Carrying out tests was the closest to the desired success with real success. In fact, what was desired was for the MFA to be mandatory without exceptions, but this type of situation always arises in which the direction lacked a firm grip.

E Kidd_Ip, I would really like to be able to mitigate better, for example by determining that he can only use "that" computer, with that Operating System, with a specific version etc etc etc... but I understand - and I could be wrong and feel free to correct me -, in my case we are only Office 365 contractors, which makes me not able to collect this data from users' devices OR even define these.

But I ask: is it possible?
0 Likes
Reply
best response confirmed by tcboeira (Brass Contributor)
Kidd_Ip

‎Aug 17 2022 07:07 AM

‎Aug 17 2022 07:07 AM

Solution

Re: MFA - Exclusive user exempted from using MFA

@tcboeira 

Are you able to access AAD or collect that information from?

0 Likes
Reply