MFA IP whitelist not working after enabling Conditional Access policy

%3CLINGO-SUB%20id%3D%22lingo-sub-736342%22%20slang%3D%22en-US%22%3EMFA%20IP%20whitelist%20not%20working%20after%20enabling%20Conditional%20Access%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-736342%22%20slang%3D%22en-US%22%3E%3CP%3EA%20new%20requirement%20for%20CSP%20partners%20is%20enabling%20conditional%20access%20policies%20%22Baseline%20policy%3A%20Require%20MFA%20for%20admins%22%20and%20%22Baseline%20policy%3A%20End%20user%20protection%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20already%20have%20MFA%20enabled%2Fenforced%20for%20all%20end%20users%20and%20admins%2C%20with%20IP%20whitelist%20for%20main%20office%20and%20soho.%20That%20worked%20fine.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20after%20enabling%20those%20CA%20policies%20our%20IP%20whitelist%20stopped%20working.%20End%20users%20at%20the%20office%20are%20asked%20for%20MFA%2C%20and%20our%20O365%20backup%20running%20with%20global%20admin%20credentials%20can%20no%20longer%20login.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20to%20create%20our%20main%20office%20public%20IP%20as%20a%20trusted%20location%2C%20but%20no%20luck.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20a%20quick%20fix%20i%20disabled%20the%20policies%20while%20digging%20into%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anybody%20explain%20why%20this%20is%20happening%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-736342%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMulti-Factor%20Authentication%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-737681%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20IP%20whitelist%20not%20working%20after%20enabling%20Conditional%20Access%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-737681%22%20slang%3D%22en-US%22%3E%3CP%3Ebugs%20bugs%20bugs...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20had%20similar%20issue%20more%20than%20half%20an%20year%20ago%20and%20no%20solution%20was%20provided..%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eprobably%20its%20quite%20complex%2C%20because%20problem%20is%20somewhere%20between%20azure%20ad%20and%20intune%2Fmdm%20and%20sharepoint%26nbsp%3Bintegration..%20sometimes%20already%20enrolled%20devices%20are%20asked%20to%20enroll%20when%20they%20already%20are%20enrolled..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20will%20get%20a%20solution%20-%20let%20us%20know%20too%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

A new requirement for CSP partners is enabling conditional access policies "Baseline policy: Require MFA for admins" and "Baseline policy: End user protection".

 

We already have MFA enabled/enforced for all end users and admins, with IP whitelist for main office and soho. That worked fine.

 

But after enabling those CA policies our IP whitelist stopped working. End users at the office are asked for MFA, and our O365 backup running with global admin credentials can no longer login.

 

I tried to create our main office public IP as a trusted location, but no luck.

 

As a quick fix i disabled the policies while digging into this.

 

Can anybody explain why this is happening?

1 Reply
Highlighted

bugs bugs bugs...

 

We had similar issue more than half an year ago and no solution was provided.. :)

 

probably its quite complex, because problem is somewhere between azure ad and intune/mdm and sharepoint integration.. sometimes already enrolled devices are asked to enroll when they already are enrolled..

 

If you will get a solution - let us know too :)