question

LukeWilliams avatar image
0 Votes"
LukeWilliams asked ·

Azure MFA IP Whitelisting

For some of my applications in Azure they are authenticating to my Azure AD using user accounts and they are being caught by my conditional access policy which is enforcing MFA due to being off-prem.

I was wondering would it be best practice to assign the resource in azure a public IP and then add that to the MFA trusted IPs? So then when the application attempts to authenticate from that IP it is not caught by the MFA policy

I have a few questions:

1) Is the public IP address assigned to a resource consistent i.e. can you confirm that the IP never changes and is solely allocated to that resource? Also that it is not behind a proxy which also serves other tenants?

2) Is this the best way around the solution and most secure?

3) Would app passwords be a better solution

I'd appreciate any help, thank you!

azure-active-directoryazure-ad-multi-factor-authentication
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@LukeWilliams I would suggest exclude those applications from the CA Policy which is triggering MFA based on location and create another policy for those applications if you want to restrict access on the basis of some other conditions. IP addresses of the resources can be changed at any point in time so whitelisting IP address is not a good idea.


Please "Accept as answer" wherever the information provided helps you to help others in the community.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@LukeWilliams, Have you had a chance to test this out?

0 Votes 0 · ·