Bypass Azure MFA and Azure AD Connect Pass-Through Authentication

Derek Hymel · ‎Sep 22 2017

So here is a dilemma we are currently in. We are in the process of rolling out MFA to our user base and have close to 60 locations all with different egress IP's. We want to bypass MFA when the user is connected to the corporate network, but the problem is the 50 IP range limit that is set in the trusted IP's section for MFA configuration. IMO that's pretty low considering how hard MS is pushing people to get MFA enabled. So after some research and discussions I wanted to get someone elses take on this.

Would enabling AD Connect Pass-Through Authentication in our environment mitigate this to where MFA is bypassed since the user is already authenticated? Are there any other alternatives or are we stuck with the trusted IP limit?

Thanks in advanced.

Vasil Michev · ‎Sep 23 2017

I assume you're talking about Azure MFA? Then you are indeed a bit limited although the limit has been discussed a lot lately, so I expect Microsoft to address this in the future. Perhaps some announcement will be made at Ignite next week?

Paul Cunningham · ‎Sep 24 2017

If you have EMS licenses you could do device-based MFA bypass instead of network-based. The idea is that all networks are treated as hostile these days, there is no internal vs external etc.

Treat enrolled/compliant/domain-joined devices as not requiring MFA, and prompt for MFA on non-enrolled/non-compliant/non-domain devices. If you want to enhance that solution further you can add risk-based MFA prompts as well.

Ulf B. Simon-Weidner · ‎Sep 24 2017

Hi Derek,

aren't you able to use "Supernetting" (combining multiple networks into a larger network, which is only a representation but does not reflect the physical network)? E.g. combining 10.1.1.x/24, 10.1.2.x/24 and 10.1.3.x/24 to 10.1.1.x/22 (which includes all adresses from 10.1.0.1 to 10.1.3.255)?

This should work and could help your issue if you have "connecting network ranges" in different networks.

Br, Ulf

Derek Hymel · ‎Sep 25 2017

Hi Ulf,

I wish it were that simple. All our egress IP's at the branch locations are different so if I enter a subnet range then I would be potentially adding IP's that we do not own. Thanks for the suggestion though. I do appreciate it.

Carsten Due · ‎Nov 16 2017

This does not require ADFS then?

Daniel Park · ‎Nov 17 2017

Hi Paul,

I was wondering how to go about creating this MFA bypass by device status. Any help would be appreciated. And do you know if this would circumvent requiring an app password on the native iOS email client on Intune enrolled devices?

Nestori Syynimaa · ‎Nov 19 2017

I agree with Carsten. For this scenario, you do need to deploy AD FS. After that you'll have a full control how to authenticate people and you can also bypass Azure MFA if needed.

And I hope you're aware that PTA does not work with Skype for Business clients without password hash sync, which kind of ruins the whole idea of PTA.

Bypass Azure MFA and Azure AD Connect Pass-Through Authentication

Bypass Azure MFA and Azure AD Connect Pass-Through Authentication

Re: Bypass Azure MFA and Azure AD Connect Pass-Through Authentication

Re: Bypass Azure MFA and Azure AD Connect Pass-Through Authentication

Re: Bypass Azure MFA and Azure AD Connect Pass-Through Authentication

Re: Bypass Azure MFA and Azure AD Connect Pass-Through Authentication

Re: Bypass Azure MFA and Azure AD Connect Pass-Through Authentication

Re: Bypass Azure MFA and Azure AD Connect Pass-Through Authentication

Re: Bypass Azure MFA and Azure AD Connect Pass-Through Authentication

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Bypass Azure MFA and Azure AD Connect Pass-Through Authentication