Azure MFA and Location-based Conditional Access Policy - WFH and WFO

Question

Hi Community

We’re implementing Azure Virtual Desktop (AVD) solution for a specific business unit (contact center), which is a highly regulated environment. The agents in the contact center can work from office and are allowed (sometimes) to work from home as well. While in the office, they’re not allowed to carry mobile devices inside the premises, for security and compliance reasons.

The contact center process is outsourced, so end-user devices that will be used by the agents to access AVD are not managed by our organization. The agents are located in two specific geographical regions. Because the agents have access to PI data, Azure Multi-factor Authentication will be enabled as one of the protective measure on their identity. Now, because the agents are not allowed to carry mobile device inside the office premises, we planned to use Conditional Access Policy to not ask for second-factor authentication when the request to access AVD originates from office (trusted / named) location. However, we also wish to prevent agent logins from any other location except trusted ones (which will be public IP address ranges of the office) – even if agents are working from home, they first need to login to VPN and AVD access request in this case originates from a trusted location.

The problem here is to be able to distinguish between when the user is working from home and when working from office – we want to only enforce MFA when they’re working from home and not when they’re in office. Is this something achievable using Azure MFA and Conditional Access Policies?

If not, any other solution / suggestion please?

Thanks
Taranjeet Singh

Answer 1

Hi @Taranjeet Malik • Thank you for reaching out.

This can be done by creating a Named Location with the public IP Addresses and/or Subnets that represent your office network over the internet and marking the Named Location as Trusted. For this purpose, you need to navigate to:

Azure Active Directory > Security > Named Locations > +IP Ranges locations > Create & Mark the location as trusted, as highlighted below:

Once you have the Named location in place, you can create a conditional access policy to require MFA. In the policy, include all locations but exclude the Named location created in previous step or choose to exclude All trusted locations, as shown below:

With this configuration, users will be prompted to do MFA if they access the protected cloud applications from any location except when they are inside the office.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hi @AmanpreetSingh-MSFT

Thanks for the detailed response. However, it seems like I was not able to express the requirement clearly earlier. This is what we want:

1. Only allow user access to AVD when they login from trusted / named location(s) - this includes regular office subnets and VPN subnets. This effectively means, no access from any unknown location (Internet)
2. Within the trusted locations (regular office network and VPN), enforce MFA only when the users are trying to login from VPN subnets (i.e., work from home scenario - though this is essentially corporate network). This is because when working from office, user are not allowed to carry-in mobile devices.

Is there a way to enforce MFA on some subset of trusted / named locations?

Thanks
Taranjeet Singh

Answer 3

Hi @Taranjeet Malik

You can achieve this, but only if the public IP of the office is different to the public IP of the VPN. (Not sure which VPN you are using so this might be possible with your provider)

If that is the case you could have:

• One block all policy - to block the internet traffic
• MFA policy - Enforce all, exclude office IP

Kind regards,

Jamie Sabbatella

Answer 4

Thanks @Jamie Sabbatella . This sounds like a possible solution. Will test and update back.