Do you mean the scenario where the user logins from a known/trusted location and then moves to a new one? The Continuous access evaluation feature should trigger a near real-time evaluation of the CA policy. However, there are some caveats, such as client support. Most importantly, if you have defined trusted networks in the old Azure MFA portal (the per-user MFA), CAE will not trigger. Replace the old config with CA policies/IP-based named locations in the Azure AD blade.
Conditional access policy overwritten after sign in through MFA
There is a conditional access policy to prevent access from external IP addresses, but after somebody uses authenticator app to sign in through MFA, this policy doesn't work anymore. How can be this prevented?
Sign in to comment
What do you mean with "old Azure MFA portal"? Could you provide the exact path or screenshot so that I can check this feature?
Go to the M365 admin center > Users > Active users > Multi-factor authentication > Legacy per-user MFA > Service settings or directly via https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx
There are added 3 trusted IP addresses. What can I do here?
Generally speaking, you should move away from using the per-user MFA controls and replace them with CA policies. As part of the process, remove the trusted IPs from there and add a corresponding network location under the Azure AD blade > Security > Conditional Access > Named Locations, then leverage said Named locations as exclusions in your CA policies.
Only the company IP address is allowed in the Cloud App Security. Only from this IP address is allowed the access to Microsoft 365. The IP is not added at https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies
Is this the correct configuration?
It's not about "correct" configuration, the old method will still work. But as your original question was about (immediately) preventing access from external addresses, the best thing to do is make sure the Continuous access evaluation feature is in effect. As mentioned in the documentation, the feature will not work with the old-style MFA trusted IPs, but only leverages the named locations as configured under Conditional Access settings in the Azure AD blade.
If the "old" controls are still in place, access will be revoked eventually, but the only way to ensure near real time enforcement is via Continuous access evaluation. Thus my suggestion is to evaluate whether switching to CA policies/Named locations is an option for you.
Do you mean that the company IP should be added in IP-based named locations?
That's the direction you should be heading in, as per-user MFA controls will get deprecated, eventually. Replacing them with CA policies and replacing the MFA trusted IPs with Named locations will have the added benefit of ensuring Continuous Access Evaluation triggers immediate session revocation in scenarios where the user moves outside of the scope of a trusted location.
Named locations were added but the issue still exists: after logon through MFA the Access policy is overwritten.
And did you switch to using CA, or is the original login still subject to per-user MFA controls?
There are used 2 policies: Conditional access policy in Microsoft Azure (to allow access to all apps with a certificate) and Access policy in Microsoft Defender for Cloud apps.
Sign in to comment