SOLVED

Is it good (or best) practice to exclude your office IP address from MFA requirements?

Steel Contributor

Should the office IP address allow users to sign-in without requiring MFA, or is it better to always require MFA, and keep the session active for e.g. 7 days?

4 Replies
best response confirmed by Kiril (Steel Contributor)
Solution
I think you should always require MFA even if coming from your IP. If you do MFA right you shouldnt be bothered by MFA authentication requests very often. The default is a rolling 90 days Window so as long you’re active more often than that you shouldn’t need to MFA often….
It depends on case-to-case basis, from the zero trust you will always enforce MFA, but If the user is logging from an office location the assumption, I make he has crossed all the necessary security gates to reach or connect office network like
1. showed some office ID to security, used the Office ID to gain access inside workstation has some username and password to log in to Wi-Fi access so in those cases I will exclude them from MFA as I assume there are some checks are done.
But keep in mind you must always enforce if the user is access to your guest WI-FI especially visitors.
The above are my thoughts for you to make a better decision as there is no straight forward answer
Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.

Adopting the Zero trust security model seems like the most rational way (Zero Trust security in Azure | Microsoft Learn). 

1 best response

Accepted Solutions
best response confirmed by Kiril (Steel Contributor)
Solution
I think you should always require MFA even if coming from your IP. If you do MFA right you shouldnt be bothered by MFA authentication requests very often. The default is a rolling 90 days Window so as long you’re active more often than that you shouldn’t need to MFA often….

View solution in original post