question

DickYe-9338 avatar image
0 Votes"
DickYe-9338 asked sikumars answered

Skipping Azure MFA for intranet must need ADFS?

We would like to disable MFA on our local subnet and we want to keep external MFA going.

Both The Trusted IPs feature of Azure Multi-Factor Authentication and The locations exclude ip_ranges from conditional access are not working.

Should this need ADFS first ?


thanks.

azure-ad-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

sikumars avatar image
0 Votes"
sikumars answered

Hello @DickYe-9338,

Thanks for reaching out.

Yes, this should need federation (ADFS) in-place, because ADFS issues the insidecorporatenetwork claim to Azure MDA for users who access from intranet.

Assuming that AD FS is configured correctly, let’s discuss below scenarios:

The domain is federated using AD FS, there is a conditional access to require MFA from any location except MFA trusted IP’s as below, also “Skip MFA for Requests From Federated users on my intranet” option Enabled.

In this Scenario, MFA will be skipped for internal users and will triggered for external users, because AD FS will send a claim “insidecorporatenetwork” to Azure to determine if the request is internal or external, for example if the request came from the internal network we can see that AD FS issued the insidecorporatenetwork claim with value “True” which means that the request came from internal which will not trigger MFA based on the option we selected before to Skip MFA for internal requests.

103330-image.png
103418-image.png

Its worth to refer this article and hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (230.2 KiB)
image.png (158.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.