![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 83%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDY%3C/text%3E%3C/svg%3E)
25,180 questions
Hello @Dick Ye ,
Thanks for reaching out.
Yes, this should need federation (ADFS) in-place, because ADFS issues the insidecorporatenetwork claim to Azure MDA for users who access from intranet.
Assuming that AD FS is configured correctly, let’s discuss below scenarios:
The domain is federated using AD FS, there is a conditional access to require MFA from any location except MFA trusted IP’s as below, also “Skip MFA for Requests From Federated users on my intranet” option Enabled.
In this Scenario, MFA will be skipped for internal users and will triggered for external users, because AD FS will send a claim “insidecorporatenetwork” to Azure to determine if the request is internal or external, for example if the request came from the internal network we can see that AD FS issued the insidecorporatenetwork claim with value “True” which means that the request came from internal which will not trigger MFA based on the option we selected before to Skip MFA for internal requests.
Its worth to refer this article and hope this helps.
------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.