SOLVED

What is the recommendation about security measurement for logging from different IP addresses

Brass Contributor

Hi all,

 

I have a question about MFA.  When the managed devices travel to a different location, should we prompt for MFA?  What is the best practice these days?  I know it varies at different organizations and also depends on how much risk organizations are willing to take.  Just wanted to know general practices to cover two types of traveling: 1. travel between home and office; 2. travel to unusual places (eg. on vacation, attend conference or at business trip, etc).  To avoid MFA fatigue, we would like to have scenario 1 not to have MFA prompt while scenario 2 we would like to have MFA to ensure the legit usage of managed devices.  Is this doable via conditional access control?  

 

To add a little bit complexity, we use DUO MFA and understand using custom control won't support certain features.  To avoid MFA fatigue, we are told to disable Continuous Access Evaluation at CA policy to support scenario 1.  Is there any security concern if we disable CAE?  Or is there any method we can avoid MFA fatigue but still have MFA control?  Any feedback/suggestions will be greatly appreciated.  Thank you!

 

Sally

 

4 Replies

@C Lee the best practice is to create a conditional access policy to block all countries from accessing your cloud apps and exclude only your local country where your employees are located. in case you have some employees, who traveling outside the country, you can simply exclude the public IP where they are relocating or the country location where they are. also in the condition you can device to allow access if the user is connected from an Azure AD or Hybrid AD join device.

 

the conditional access policy is not enabled by default, it is a setting that you can force within the CA policy in case you need your users to be evaluated and enforced near real time.

 

Key benefits

  • User termination or password change/reset: User session revocation is enforced in near real time.
  • Network location change: Conditional Access location policies are enforced in near real time.
  • Token export to a machine outside of a trusted network can be prevented with Conditional Access location policies.

 

Thank you, eliekarkafy for your feedback. As you suggested, we have trsuted location configured and block all countries except the one we are located. But with DUO MFA as the custom control, it prompts all the time even though users don't require it. It's all due to one of our CA policies (all apps from all users at all locations except trusted ones require DUO MFA. There is nothing wrong with it except extra MFA prompts cause MFA fatigue. These extra prompts are the one our security team has more concerns than devices have changed location so is willing to not prompt for location changes. This concept is different from what I have learned about security practices so just wanted to have some suggestions from the community.

Thanks again for your information. Appreciate it!

Sally

best response confirmed by C Lee (Brass Contributor)
Solution

@C Lee I suggest you check again with the DUO team as I remember there are some tweaks to perform from the Duo portal to prevent such behavior. I used to implement Duo with MFA long time ago and we added the sign in frequency from CA side and we define some similar settings from DUO side as well. hope this will help. 

 

eliekarkafy_2-1693460980887.png

 

eliekarkafy_0-1693460928992.png

Untitled.png

 

 

Wow, that's really helpful! We will check with DUO and see if they can offer some help. Really appreciate your sharing experiences with us. Thank you once again!!!!
1 best response

Accepted Solutions
best response confirmed by C Lee (Brass Contributor)
Solution

@C Lee I suggest you check again with the DUO team as I remember there are some tweaks to perform from the Duo portal to prevent such behavior. I used to implement Duo with MFA long time ago and we added the sign in frequency from CA side and we define some similar settings from DUO side as well. hope this will help. 

 

eliekarkafy_2-1693460980887.png

 

eliekarkafy_0-1693460928992.png

Untitled.png

 

 

View solution in original post