Sep 22 2017
- last edited on
Jan 14 2022
So here is a dilemma we are currently in. We are in the process of rolling out MFA to our user base and have close to 60 locations all with different egress IP's. We want to bypass MFA when the user is connected to the corporate network, but the problem is the 50 IP range limit that is set in the trusted IP's section for MFA configuration. IMO that's pretty low considering how hard MS is pushing people to get MFA enabled. So after some research and discussions I wanted to get someone elses take on this.
Would enabling AD Connect Pass-Through Authentication in our environment mitigate this to where MFA is bypassed since the user is already authenticated? Are there any other alternatives or are we stuck with the trusted IP limit?
Thanks in advanced.
Sep 23 2017 07:55 AM
I assume you're talking about Azure MFA? Then you are indeed a bit limited although the limit has been discussed a lot lately, so I expect Microsoft to address this in the future. Perhaps some announcement will be made at Ignite next week?
Sep 24 2017 12:32 AM
If you have EMS licenses you could do device-based MFA bypass instead of network-based. The idea is that all networks are treated as hostile these days, there is no internal vs external etc.
Treat enrolled/compliant/domain-joined devices as not requiring MFA, and prompt for MFA on non-enrolled/non-compliant/non-domain devices. If you want to enhance that solution further you can add risk-based MFA prompts as well.
Sep 24 2017 08:30 AM
aren't you able to use "Supernetting" (combining multiple networks into a larger network, which is only a representation but does not reflect the physical network)? E.g. combining 10.1.1.x/24, 10.1.2.x/24 and 10.1.3.x/24 to 10.1.1.x/22 (which includes all adresses from 10.1.0.1 to 10.1.3.255)?
This should work and could help your issue if you have "connecting network ranges" in different networks.
Sep 25 2017 06:25 AM
I wish it were that simple. All our egress IP's at the branch locations are different so if I enter a subnet range then I would be potentially adding IP's that we do not own. Thanks for the suggestion though. I do appreciate it.
Nov 17 2017 12:38 PM
I was wondering how to go about creating this MFA bypass by device status. Any help would be appreciated. And do you know if this would circumvent requiring an app password on the native iOS email client on Intune enrolled devices?
Nov 19 2017 09:50 PM
I agree with Carsten. For this scenario, you do need to deploy AD FS. After that you'll have a full control how to authenticate people and you can also bypass Azure MFA if needed.
And I hope you're aware that PTA does not work with Skype for Business clients without password hash sync, which kind of ruins the whole idea of PTA.