ByPass MFA for Azure VM which is joined to on-prem AD

Question

ByPass MFA for Azure VM which is joined to on-prem AD

MS Techie 2,501

We have express route connectivtiy from Azure to on-prem.

The Azure Win10 VMs are joined to on-prem AD . These VMs dont show under Azure Active Directory -- Devices section. (Please note Win10 VMs can be joined either to on-prem AD or azure AD, but cannot be joined to both)

Now in my MFA conditional policy , how do i exclude Azure VMs , that are joined to on-prem AD . i see options to exclude others VMs which are Azure AD joined, but not this type.

Do i need to register my win10 VM in Azure AD ? is yes, how to register. ( Remember my Azure VM is domain joined to on-prem AD and win10 VM cannot be joined to both Azure AD and on-prem.)

Answer 1

Hello @MS Techie

Thank you for reaching out. I would like to confirm that the filter for devices condition in Conditional Access evaluates policy based on device attributes of a registered device in Azure AD and uses device authentication to evaluate device filter rules. For a device that is unregistered or not registered with Azure AD, all device properties are considered as null values and the device attributes cannot be determined since the device does not exist in the directory.

The best way to target policies for unregistered devices is by using the negative operator since the configured filter rule would apply. If you were to use a positive operator, the filter rule would only apply when a device exists in the directory and the configured rule matches the attribute on the device. You can check out Filter for Devices documentation to get more information.

However, you need to be very careful when creating negative operator with Device TrustType Property. In your case if you create negative operator as shown in the screenshot, it will not exclude specific devices however would exclude all the devices which are not Azure AD Join from MFA. Easiest way I can think of is excluding IP's if these Azure VM's have static public IP's assigned.

I hope this helps and resolves your concern.

----------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

MS Techie 2,501 Reputation points

2022-11-21T13:59:08.157+00:00

Hi @Harpreet Singh Matharoo

is it possible to filter private IP addresses.

What method should i use to filter azure VM by their private IP address, to exclude from MFA ?
John L 21 Reputation points

2022-11-21T14:12:29.057+00:00

If you are prompted for MFA, doesn't that mean this VM is both on-prem joined and AAD registered? If that is the case, can we not filter to exclude "hybrid joined device"?

Answer 2

Hello @MS Techie

As mentioned in previous answer, you need to exclude Public IP’s assigned to those VM’s.

----------

Azure AD uses client’s Public IP determine location and evaluate Conditional Access Policies. You can refer following documentation for more details:

What are Named Locations?
How to define locations in Conditional Access Policy?
Once you determine Public IP’s assigned to your Azure VM you can create named location mark them as trusted and exclude them from Conditional Access Policy which calls for MFA.

----------

Alternate method would be to use Azure AD Register method.

I see you mentioned that your devices cannot join to Azure AD. However, I see you also mentioned that you can perform Azure AD register, if yes you can review the document on Azure AD Register device state and perform Workplace join for those devices to change the state to Azure AD register and exclude that trustType from Conditional Access Policy.

I hope this adds more clarity and resolves your concern.

----------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

ByPass MFA for Azure VM which is joined to on-prem AD

1 additional answer

Activity