Set up a device/IP/Mac address exception for MFA?

Boe Dillard 571 Reputation points


I would like MFA enabled for EVERYTHING but I'd like exceptions for scanners and it support to be restricted to a sepcific device. E.g. our scanner mac address will never change and I'd be impressed if someone managed to get on our physical network, scan it for printers, get the mac addres and figure out the email address and then hack the email. I'm not saying that can't be done but that would be a lot of work.

Is there a way to leave it enabled but skip it for a specific mac address or IP or something that is device specific?

I'd love it for my computer - I manage 10 tenants and at the moment have MFA turned on for all of them so I have to get a code for 10 clients each time I flip through admin for each.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,597 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. TP 17,966 Reputation points


    You could set up trusted location(s) for the public IP(s) and set your policy to exclude them from MFA. Please see article below for more information:

    Using the location condition in a Conditional Access policy

    NOTE: You cannot use mac address since that isn't visible to Azure AD.

    If the above was helpful please click Accept Answer and upvote.



  2. Boe Dillard 571 Reputation points

    I got fantastic help on this - the issue was I needed an azure AD Premium 1 account so I could create a conditional access policy to include my trusted IP.