MFA with Conditional Access Deployment Feedback

%3CLINGO-SUB%20id%3D%22lingo-sub-338976%22%20slang%3D%22en-US%22%3EMFA%20with%20Conditional%20Access%20Deployment%20Feedback%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-338976%22%20slang%3D%22en-US%22%3E%3CP%3ELooking%20for%20feedback%20on%20implementation%20of%20MFA%26nbsp%3Bwith%20conditional%20access%20in%20Azure.%20Do%20you%20find%20that%20you%20have%20push%20back%20from%20management%20with%20MFA%20or%20do%20you%20potentially%20start%20out%20with%20untrusted%20networks%20first%20and%20gradually%20expanding%20to%20internal%3F%20Have%20you%20found%20any%20drawbacks%20or%20disadvantages%20with%20this%20approach%3F%20Do%20some%20companies%20think%20untrusted%20networks%20is%20good%20enough%20and%20MFA%20is%20not%20needed%20on%20trusted%20networks%3F%20Would%20just%20like%20to%20understand%20how%20other%20admins%2Fcompanies%20have%20implemented.%20Thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-338976%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Friday%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EInformation%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1059661%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20with%20Conditional%20Access%20Deployment%20Feedback%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1059661%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F281973%22%20target%3D%22_blank%22%3E%40takers365%3C%2FA%3E%26nbsp%3BI%C2%B4ve%20been%20asked%20by%20a%20number%20of%20customers%20to%20use%20this%20approach%20to%20ease%20the%20deployment.%20Identify%20public%20IP%20ranges%20and%20add%20these%20to%20trusted%20locations%20and%20require%20MFA%20for%20every%20auth%20not%20coming%20from%20these%20IP%20ranges.%3C%2FP%3E%3CP%3EOne%20of%20the%20drawbacks%20with%20this%20approach%20is%20that%20IP-spoofing%20allows%20for%20further%20passwordspray%2C%20bruteforce%20etc.%3C%2FP%3E%3CP%3EHowever%2C%20this%20in%20mind%20I%20think%20it%C2%B4s%20a%20good%20place%20to%20start%20your%20security%20maturity%20journey.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Looking for feedback on implementation of MFA with conditional access in Azure. Do you find that you have push back from management with MFA or do you potentially start out with untrusted networks first and gradually expanding to internal? Have you found any drawbacks or disadvantages with this approach? Do some companies think untrusted networks is good enough and MFA is not needed on trusted networks? Would just like to understand how other admins/companies have implemented. Thanks

1 Reply

@takers365 I´ve been asked by a number of customers to use this approach to ease the deployment. Identify public IP ranges and add these to trusted locations and require MFA for every auth not coming from these IP ranges.

One of the drawbacks with this approach is that IP-spoofing allows for further passwordspray, bruteforce etc.

However, this in mind I think it´s a good place to start your security maturity journey.