question

JohnD-1224 avatar image
0 Votes"
JohnD-1224 asked MarshallC-0163 edited

Office 365 MFA disable external access if not enforced

So there are three MFA settings. Disabled, Enabled and enforced. Enabled is set and then the user can authenticate using only name and password at which point they have to enroll in the MFA process.

We have 100% requirement that all users have MFA enabled. Unfortunately some of them don't complete this process because they never check email outside the company.

Is there a setting that I can disable authentication from ALL users that have disabled, or enabled, set for MFA UNLESS the request comes from an IP that is on the trusted IP list. This will ensure that no authentication requests are accepted from OUTSIDE the corporate network that are for users that do not have MFA enforced meaning they have completed the enrollment process.

Thanks John

azure-ad-multi-factor-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
1 Vote"
michev answered

Set it to Enforced if you want them to go over the registration policy. Or better yet, toggle Security defaults on.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JohnD-1224 avatar image
1 Vote"
JohnD-1224 answered dario-1612 commented

Unfortunately, that does not answer my question at all.

Enabled or enforced still allows authentication until the registration process has been completed. Therefore the users that are using outlook inside the trusted IP network are never prompted or have to complete the registration process. This means that a would be hacker can still authenticate from outside the network without having to enter MFA because MFA process has not been completed. In fact - if he gained access - he could complete the MFA process using his own cell or whatever.

toggle Security defaults on? that sounds intriguing but I have no idea what security defaults you are referring to.

I would think this would be a common sense flag that could be set

Disable access for any user that does not have MFA registration complete unless coming from a trusted IP. Thats what I would like to do - how does one accomplish that?

Thanks
John

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi John,

I just had the exact same question. "I would think this would be a common sense flag that could be set"

Any luck figuring it out?

Thanks
Dario

0 Votes 0 ·
JohnD-1224 avatar image
0 Votes"
JohnD-1224 answered

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

"The user is enrolled per-user in Azure AD Multi-Factor Authentication. If the user hasn't yet registered authentication methods, they receive a prompt to register the next time they sign in using modern authentication (such as via a web browser). Users who complete registration while in the Enabled state are automatically moved to the Enforced state."






5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HimanshuAhuja-6670 avatar image
0 Votes"
HimanshuAhuja-6670 answered

What about a conditional access policy to grant access only if MFA is enforced.
As per my understanding, you should be able to create a policy with a check mark for "Require multi-factor authentication"

You can also add conditions of trusted locations at the same time.
With that I have witnessed, this makes sure any user will be granted access only when MFA is enforced. (Yes I know enforced is not the same as enabled :) )

Please let me know if this helps or not, I am testing a few things and if I come across something else, will surely update here.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JohnD-1224 avatar image
0 Votes"
JohnD-1224 answered HimanshuAhuja-6670 edited

I actually just found something similar and was getting ready to post.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-registration

I have this set up but its not working yet. Im hoping its just a matter of it hasn't replicated yet.

Essentially - after creating locations, you can force MFA for all non trusted locations and then a second policy that requires MFA registration from a trusted location. Again - its not working yet but the framework appears to be there to support this.

Thanks
John

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am glad we were on the same page. please let me know if it works out so we can mark this post as resolved/answered. Have a great day ahead.

0 Votes 0 ·
JohnD-1224 avatar image
1 Vote"
JohnD-1224 answered MarshallC-0163 edited

Will do - I have a ticket open with our Azure escalation support partner to see if they can help me figure out why its not applying.

Thanks
John

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi John, did you get this to work okay? Thanks

0 Votes 0 ·

Yeah any word on this yet? Im looking for a solution as to why members of our org can access outlook and onedrive with out being prompted for mfa or having a mobility license or being in a "enabled" or Enforced" state in mfa.

0 Votes 0 ·