Home

Only prompt for O365 MFA when on external network (E1 users)

%3CLINGO-SUB%20id%3D%22lingo-sub-1100250%22%20slang%3D%22en-US%22%3EOnly%20prompt%20for%20O365%20MFA%20when%20on%20external%20network%20(E1%20users)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1100250%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20about%201000%20E1%20users%20that%20are%20using%20O365%20MFA.%20We%20dont%20want%20them%20to%20receive%20MFA%20prompts%20when%20in%20office%2C%20only%20when%20on%20an%20external%20network.%20This%20can%20be%20done%20by%20the%20trusted%20IPs%20section%20in%20the%20O365%20portal%20but%20it%20is%20limited%20to%2050%20IP%20ranges%20(why%2050%3F).%20We%20have%20over%20300%20address%20ranges%20that%20we%20want%20to%20add.%20Is%20there%20a%20way%20to%20do%20this%20without%20giving%20the%20users%20EMS%20E3%20licenses%20and%20using%20conditional%20access%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1100250%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMFA%20Azure%20and%20Office%20Admin%20Portal%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1101068%22%20slang%3D%22en-US%22%3ERe%3A%20Only%20prompt%20for%20O365%20MFA%20when%20on%20external%20network%20(E1%20users)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1101068%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F242309%22%20target%3D%22_blank%22%3E%40Ravindra%20Mathura%3C%2FA%3E%26nbsp%3B!%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ESadly%20no%2C%20the%20limit%20of%2050%20trusted%20IP%20ranges%20for%20the%20MFA%20part%20is%20not%20possible%20to%20work%20around.%26nbsp%3B%3C%2FP%3E%3CP%3EConditional%20Access%20with%20named%20locations%20is%20the%20way%20to%20go.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20Named%20locations%20you%20can%20use%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EOne%20named%20location%20with%20up%20to%201200%20IP%20ranges.%3C%2FLI%3E%3CLI%3EA%20maximum%20of%2090%20named%20locations%20with%20one%20IP%20range%20assigned%20to%20each%20of%20them.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Flocation-condition%23named-locations%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Flocation-condition%23named-locations%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESince%20you%20have%20300%20IP%20ranges%2C%20you%20will%20need%20Conditional%20Access%20with%20Named%20Locations.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20RegardsOliwer%20Sj%C3%B6berg%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We have about 1000 E1 users that are using O365 MFA. We dont want them to receive MFA prompts when in office, only when on an external network. This can be done by the trusted IPs section in the O365 portal but it is limited to 50 IP ranges (why 50?). We have over 300 address ranges that we want to add. Is there a way to do this without giving the users EMS E3 licenses and using conditional access? 

1 Reply
Highlighted

Hello@Ravindra Mathura ! 

Sadly no, the limit of 50 trusted IP ranges for the MFA part is not possible to work around. 

Conditional Access with named locations is the way to go. 

 

With Named locations you can use 

  • One named location with up to 1200 IP ranges.
  • A maximum of 90 named locations with one IP range assigned to each of them.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#named-...

 

Since you have 300 IP ranges, you will need Conditional Access with Named Locations. 

 

Kind Regards
Oliwer Sjöberg