Set up a device/IP/Mac address exception for MFA?

Question

Set up a device/IP/Mac address exception for MFA?

Boe Dillard 571

Hello,

I would like MFA enabled for EVERYTHING but I'd like exceptions for scanners and it support to be restricted to a sepcific device. E.g. our scanner mac address will never change and I'd be impressed if someone managed to get on our physical network, scan it for printers, get the mac addres and figure out the email address and then hack the email. I'm not saying that can't be done but that would be a lot of work.

Is there a way to leave it enabled but skip it for a specific mac address or IP or something that is device specific?

I'd love it for my computer - I manage 10 tenants and at the moment have MFA turned on for all of them so I have to get a code for 10 clients each time I flip through admin for each.

Answer 1

TP 17,966

Hi,

You could set up trusted location(s) for the public IP(s) and set your policy to exclude them from MFA. Please see article below for more information:

Using the location condition in a Conditional Access policy

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

NOTE: You cannot use mac address since that isn't visible to Azure AD.

If the above was helpful please click Accept Answer and upvote.

Thanks.

-TP

Boe Dillard 571 Reputation points

2023-03-08T23:09:16.41+00:00

Thanks! I just tried that with no luck though - perhaps I'm missing a step

I went to the azure conditional access page.

I added an IP range location - which is my home PC public IP /31 also tried /30 and /29 (I have a single IP address)

I log out and when I log back in no matter what IP/mask I tried I still get prompted for my phone confirmation.

Not sure if there is another step
Boe Dillard 571 Reputation points

2023-03-08T23:12:38.5533333+00:00

Thanks I may be missing a step

I went to the page, I added
TP 17,966 Reputation points

2023-03-09T19:15:26.8833333+00:00

Hi @Boe Dillard , in your Conditional Access (CA) policy where you are requiring MFA, did you you select All trusted locations under Conditions -- Locations -- Exclude? If you make the change and it still doesn't work properly please post specific details of your CA policy. I'm assuming you set your home named location as trusted.
Boe Dillard 571 Reputation points

2023-03-10T01:15:33.49+00:00

Thanks - I may be doing it all wrong - I go to https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/NamedLocations

I click on IP ranges Location, Give it a name - mark as trusted and put in my ip/29

And that is all I did.

I see the configure multifactor authentication trusted IPs - that looks like it is across the board but I could be mistaken
TP 17,966 Reputation points

2023-03-10T21:37:24.9366667+00:00

@Boe Dillard I'll give you some instructions to guide you through it, probably post it within next 8-12 hours.

Answer 2

Boe Dillard 571

I got fantastic help on this - the issue was I needed an azure AD Premium 1 account so I could create a conditional access policy to include my trusted IP.

Set up a device/IP/Mac address exception for MFA?

2 answers

Activity