Forum Discussion

Ueli Zimmermann's avatar
Ueli Zimmermann
Brass Contributor
May 18, 2018

Azure Active Directory and ADFS support for Location based MFA ?

Any one knows if it is possible to kind of apply MFA only from like outside the defined trusted Networks and how to set this up if ADFS 3.0 is in play ?  i tried to use just AAD Conditional Access Po...
Azure Active Directory (AAD)
Identity Management
Rishabh Srivastava's avatar
Rishabh Srivastava
Iron Contributor
Ueli Zimmermann wrote:

Thanks Rishabh,

 

So basically what would you recommend me if i actually don't want depend to much on ADFS and ADFS Claim Rules but would rather like to use native Conditional Access with Azure MFA ? still have ADFS in place as we are not able to remove it right away (maybe in the future i would like to go PTA and Seamless SSO) but that can go a while.

 

I still need the following covered:

 

1. Only use MFA if it is outside of Corpnet

2. Only use MFA for SharePoint Online SaaS and for nothing else

3. Only use if connected via Browser (not for OneDrive fat client or so ever)

 

BTW: This is basically because we want to rollout this package just for SharePoint Collab right now and not for anything else. Later we probably will go with Hybrid AD Join and Intune and for this step im than able to use Device Based Conditional Access which makes it even more easier.

 

But again regarding the above 3 Requirements what would you suggest ? is this possible without ADFS Claims or do we need still the ADFS Claims ? and do i need than ADFS to connect to MFA Provider like AzureMFA or can i use the claim rules without using ADFS driven MFA and just use again Azure MFA without configuration inside ADFS ?

 

Hope is stated clear for you otherwise ask me anytime.

 

Cheers

Ueli


Hello Ueli,

 

As per your requirement :- 

 

1. Only use MFA if it is outside of Corpnet

- For this feature you have to add the IP address range of your enterprise in the MFA trusted IP's range option :-

 

 

2. Only use MFA for SharePoint Online SaaS and for nothing else.

- I am not sure if there is a way where in we have implemented a policy for sharepoint and it doesn't impact onedrive. This is something which you can check by creating a test policy.

For saas applications added to your tenant, yes you can implement MFA and that too application specific. 

 

3. Only use if connected via Browser (not for OneDrive fat client or so ever)

While creating conditional access policy you get an option where in you can use the application type.

 

 

Regards,

Rishabh

 

Ueli Zimmermann's avatar
Ueli Zimmermann
Brass Contributor
Jun 09, 2018

Hi Rishabh,

 

After a while of troubleshooting i finally found the Issue.

If i choose Exclude "All trusted locations" the Rule seems not to work.

If i choose Exclude "Selected locations" and use MFA Trusted IPs for example, the Conditional Access Rule will work without further need to configure anything on ADFS like you said.

 

Did anybody has the same Situation / Issue ?

 

Cheers

Ueli

Resources