Home

MFA IP whitelist not working after enabling Conditional Access policy

%3CLINGO-SUB%20id%3D%22lingo-sub-736342%22%20slang%3D%22en-US%22%3EMFA%20IP%20whitelist%20not%20working%20after%20enabling%20Conditional%20Access%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-736342%22%20slang%3D%22en-US%22%3E%3CP%3EA%20new%20requirement%20for%20CSP%20partners%20is%20enabling%20conditional%20access%20policies%20%22Baseline%20policy%3A%20Require%20MFA%20for%20admins%22%20and%20%22Baseline%20policy%3A%20End%20user%20protection%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20already%20have%20MFA%20enabled%2Fenforced%20for%20all%20end%20users%20and%20admins%2C%20with%20IP%20whitelist%20for%20main%20office%20and%20soho.%20That%20worked%20fine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20after%20enabling%20those%20CA%20policies%20our%20IP%20whitelist%20stopped%20working.%20End%20users%20at%20the%20office%20are%20asked%20for%20MFA%2C%20and%20our%20O365%20backup%20running%20with%20global%20admin%20credentials%20can%20no%20longer%20login.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20to%20create%20our%20main%20office%20public%20IP%20as%20a%20trusted%20location%2C%20but%20no%20luck.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20a%20quick%20fix%20i%20disabled%20the%20policies%20while%20digging%20into%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anybody%20explain%20why%20this%20is%20happening%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-736342%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMulti-Factor%20Authentication%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-737681%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20IP%20whitelist%20not%20working%20after%20enabling%20Conditional%20Access%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-737681%22%20slang%3D%22en-US%22%3E%3CP%3Ebugs%20bugs%20bugs...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20had%20similar%20issue%20more%20than%20half%20an%20year%20ago%20and%20no%20solution%20was%20provided..%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eprobably%20its%20quite%20complex%2C%20because%20problem%20is%20somewhere%20between%20azure%20ad%20and%20intune%2Fmdm%20and%20sharepoint%26nbsp%3Bintegration..%20sometimes%20already%20enrolled%20devices%20are%20asked%20to%20enroll%20when%20they%20already%20are%20enrolled..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20will%20get%20a%20solution%20-%20let%20us%20know%20too%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Oletho
Occasional Contributor

A new requirement for CSP partners is enabling conditional access policies "Baseline policy: Require MFA for admins" and "Baseline policy: End user protection".

 

We already have MFA enabled/enforced for all end users and admins, with IP whitelist for main office and soho. That worked fine.

 

But after enabling those CA policies our IP whitelist stopped working. End users at the office are asked for MFA, and our O365 backup running with global admin credentials can no longer login.

 

I tried to create our main office public IP as a trusted location, but no luck.

 

As a quick fix i disabled the policies while digging into this.

 

Can anybody explain why this is happening?

1 Reply
Highlighted

bugs bugs bugs...

 

We had similar issue more than half an year ago and no solution was provided.. :)

 

probably its quite complex, because problem is somewhere between azure ad and intune/mdm and sharepoint integration.. sometimes already enrolled devices are asked to enroll when they already are enrolled..

 

If you will get a solution - let us know too :)

Related Conversations
Real Time Collaboration
bchowell in Access on
0 Replies
Ms Access different results from same query on different pc's
Gertdj in Access on
13 Replies
Migrating Access back end to the cloud
GrahamCresswell in Access on
10 Replies
access updates
tina12--__ in Access on
1 Replies