Set up a device/IP/Mac address exception for MFA?

Boe Dillard 666 Reputation points
2023-03-08T18:27:30.9433333+00:00

Hello,

I would like MFA enabled for EVERYTHING but I'd like exceptions for scanners and it support to be restricted to a sepcific device. E.g. our scanner mac address will never change and I'd be impressed if someone managed to get on our physical network, scan it for printers, get the mac addres and figure out the email address and then hack the email. I'm not saying that can't be done but that would be a lot of work.

Is there a way to leave it enabled but skip it for a specific mac address or IP or something that is device specific?

I'd love it for my computer - I manage 10 tenants and at the moment have MFA turned on for all of them so I have to get a code for 10 clients each time I flip through admin for each.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,421 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. TP 100K Reputation points
    2023-03-08T20:39:42.1466667+00:00

    Hi,

    You could set up trusted location(s) for the public IP(s) and set your policy to exclude them from MFA. Please see article below for more information:

    Using the location condition in a Conditional Access policy

    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

    NOTE: You cannot use mac address since that isn't visible to Azure AD.

    If the above was helpful please click Accept Answer and upvote.

    Thanks.

    -TP


  2. Boe Dillard 666 Reputation points
    2023-03-11T01:06:01.19+00:00

    I got fantastic help on this - the issue was I needed an azure AD Premium 1 account so I could create a conditional access policy to include my trusted IP.

    0 comments No comments

  3. JamesTran-MSFT 36,656 Reputation points Microsoft Employee
    2023-03-31T17:40:22.2166667+00:00

    @Boe Dillard

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to accept the answer.

    Issue:

    You're trying to enable MFA for everything except for a specific MAC or IP address that is device specific.

    Solution:

    After receiving amazing support from our community, you were able to figure out that you needed an Azure AD Premium 1 License / account so that you can create Conditional Access Policies to include your Trusted IP addresses.

    Additional Links:

    If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

    I hope this helps!


    If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.