Azure MFA IP Whitelisting

Luke Williams 1 Reputation point
2020-04-21T22:55:36.513+00:00

For some of my applications in Azure they are authenticating to my Azure AD using user accounts and they are being caught by my conditional access policy which is enforcing MFA due to being off-prem.

I was wondering would it be best practice to assign the resource in azure a public IP and then add that to the MFA trusted IPs? So then when the application attempts to authenticate from that IP it is not caught by the MFA policy

I have a few questions:

1) Is the public IP address assigned to a resource consistent i.e. can you confirm that the IP never changes and is solely allocated to that resource? Also that it is not behind a proxy which also serves other tenants?

2) Is this the best way around the solution and most secure?

3) Would app passwords be a better solution

I'd appreciate any help, thank you!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,668 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-04-22T20:21:45.937+00:00

    @Luke Williams I would suggest exclude those applications from the CA Policy which is triggering MFA based on location and create another policy for those applications if you want to restrict access on the basis of some other conditions. IP addresses of the resources can be changed at any point in time so whitelisting IP address is not a good idea.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.