Forum Discussion
MFA Azure and Office Admin Portal
1. MFA only when users access Azure Admin Portal
2. MFA only when users access Office 365 Admin Portal
3. Same must not go through MFA on other apps/services like outlook, teams etc..
4. Also what can i do in the situation when MFA service is not available ? I prefer using CA conditional access for this as same admin whose is suppose to do MFA while logging on to anyone of these Admin Portals however in case MFA service has an issue or is not available for some reason,
how or what configuration i can keep in place before hand and do minimal to quickly avoid MFA prompt
- I believe this is what you want:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/app-based-mfaNo that doesnt work as shown i did a simple test configured a policy selected a users said require MFA for all cloud app but excluded 2 exchange online and teams and kept getting prompted for MFA on those two everytime
- Can you try using the "What if" function on your conditional access policy, experiment with some different scenarios and report back? It may be that your policy is overlapping with some apps causing it to MFA where it shouldnt.
You cannot target specific O365 portals/endpoints with CA policies, best you can do is target the Azure ones as detailed here: https://docs.microsoft.com/en-us/azure/role-based-access-control/conditional-access-azure-management
As for a "bypass" option, I prefer using "known IPs"/"trusted locations": https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#trusted-ips
So it is clear if it is not possible configure Azure MFA for Admin Portals only,
how would you recommend using trusted IPs for devices behind cloud based Proxy ?
