Forum Discussion
AllanWith
Jul 03, 2019Iron Contributor
Require MFA for AAD Hybrid joined devices
We are planning a rollout of 2000 new Windows 10 devices to the entire organization on a new domain as part of a merger and accompanying org name change. We have an onprem environment with DCs th...
headburgh
Jul 04, 2019Iron Contributor
AllanWithHi in order to address the issues you describe you need to identify your public IP's and add those in the "Trusted locations" tab. Then all other clients coming from an IP not in the list will be prompted for MFA.
However, CA will not block your account. So the credentials could still be leaked, although no access will be granted.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/untrusted-networks
If your organization is using VPN such as Direct Access och Always-on-VPN you´re in another kind of tight spot given that the IP will always originate from your external IP.
Hope this helps
/Viktor
- AllanWithJul 08, 2019Iron ContributorHello Viktor - We have already added our own outgoing IP as a trusted network.
My question is whether an AAD joined device will prompt for MFA when I open up a browser and attempt to access an Office 365 service. As far as I can understand from Vasils response, they won't be challenged for MFA, if the device is AAD Joined and has a valid PRT.