InsideCorporateNetwork claim + Microsoft Authenticator + network change = broken authentication?

Iron Contributor

We are testing utilizing Conditional Access policies to recognize the InsideCorporateNetwork claim by configuring the 'Skip multi-factor authentication for requests from federated users on my intranet' MFA setting. 


We currently do not use Microsoft Authenticator and require that users be on-net to authentication (inside the bricks, VPN etc), however we are finding that when users have Microsoft Authenticator on their mobile device and their account gets added to Authenticator after logging in to a Microsoft App on the device, when they change networks, Authenticator goes into a loop and users lose access to their apps.  Jumping back on the network where the original authentication occurred seems to fix the problem.  Is there any configurable way around this?

1 Reply
If Azure MFA, for your cloud based MFA settings, what options are checked under "verification options"? Also, within AAD under Security --> Authentication Methods, for method "Microsoft Authenticator", is Enabled set to No or Yes?