Conditional access policy overwritten after sign in through MFA

Atanas Malakov Convergys / Conccentrix 21

There is a conditional access policy to prevent access from external IP addresses, but after somebody uses authenticator app to sign in through MFA, this policy doesn't work anymore. How can be this prevented?

Shweta Mathur 27,786 Reputation points Microsoft Employee

2023-03-30T12:08:15.22+00:00

Hi @Atanas Malakov Convergys / Conccentrix ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

1 answer

Vasil Michev 95,671 Reputation points MVP

2023-03-10T16:03:19.3533333+00:00

Do you mean the scenario where the user logins from a known/trusted location and then moves to a new one? The Continuous access evaluation feature should trigger a near real-time evaluation of the CA policy. However, there are some caveats, such as client support. Most importantly, if you have defined trusted networks in the old Azure MFA portal (the per-user MFA), CAE will not trigger. Replace the old config with CA policies/IP-based named locations in the Azure AD blade.
Please sign in to rate this answer.
Atanas Malakov Convergys / Conccentrix 21 Reputation points

2023-03-13T12:51:36.19+00:00

What do you mean with "old Azure MFA portal"? Could you provide the exact path, so that I can check this feature?

Atanas Malakov Convergys / Conccentrix 21 Reputation points

2023-03-13T12:54:20.7+00:00

What do you mean with "old Azure MFA portal"? Could you provide the exact path or screenshot so that I can check this feature?

Vasil Michev 95,671 Reputation points MVP

2023-03-13T14:40:02.4433333+00:00

Go to the M365 admin center > Users > Active users > Multi-factor authentication > Legacy per-user MFA > Service settings or directly via https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx

Atanas Malakov Convergys / Conccentrix 21 Reputation points

2023-03-15T11:12:24.1866667+00:00

There are added 3 trusted IP addresses. What can I do here?

Vasil Michev 95,671 Reputation points MVP

2023-03-15T13:27:50.3333333+00:00

Generally speaking, you should move away from using the per-user MFA controls and replace them with CA policies. As part of the process, remove the trusted IPs from there and add a corresponding network location under the Azure AD blade > Security > Conditional Access > Named Locations, then leverage said Named locations as exclusions in your CA policies.

Atanas Malakov Convergys / Conccentrix 21 Reputation points

2023-03-21T17:42:24.96+00:00

Only the company IP address is allowed in the Cloud App Security. Only from this IP address is allowed the access to Microsoft 365. The IP is not added at https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies

Is this the correct configuration?

Vasil Michev 95,671 Reputation points MVP

2023-03-21T18:19:38.6666667+00:00

It's not about "correct" configuration, the old method will still work. But as your original question was about (immediately) preventing access from external addresses, the best thing to do is make sure the Continuous access evaluation feature is in effect. As mentioned in the documentation, the feature will not work with the old-style MFA trusted IPs, but only leverages the named locations as configured under Conditional Access settings in the Azure AD blade.

If the "old" controls are still in place, access will be revoked eventually, but the only way to ensure near real time enforcement is via Continuous access evaluation. Thus my suggestion is to evaluate whether switching to CA policies/Named locations is an option for you.

Atanas Malakov Convergys / Conccentrix 21 Reputation points

2023-03-22T22:17:49.34+00:00

Do you mean that the company IP should be added in IP-based named locations?

Vasil Michev 95,671 Reputation points MVP

2023-03-23T07:47:17.8866667+00:00

That's the direction you should be heading in, as per-user MFA controls will get deprecated, eventually. Replacing them with CA policies and replacing the MFA trusted IPs with Named locations will have the added benefit of ensuring Continuous Access Evaluation triggers immediate session revocation in scenarios where the user moves outside of the scope of a trusted location.

Atanas Malakov Convergys / Conccentrix 21 Reputation points

2023-03-24T09:40:27.96+00:00

Named locations were added but the issue still exists: after logon through MFA the Access policy is overwritten.

Vasil Michev 95,671 Reputation points MVP

2023-03-24T16:42:35.15+00:00

And did you switch to using CA, or is the original login still subject to per-user MFA controls?

Atanas Malakov Convergys / Conccentrix 21 Reputation points

2023-03-27T06:30:47.87+00:00

There are used 2 policies: Conditional access policy in Microsoft Azure (to allow access to all apps with a certificate) and Access policy in Microsoft Defender for Cloud apps.

Vasil Michev 95,671 Reputation points MVP

2023-03-28T07:36:49.87+00:00

Yes, but is the user still subject to per-user MFA or only to MFA via CA policy? Open the sign-in events page, and look at the properties of a sign-in event for the user. Specifically, check for the value of the "Continuous access evaluation" field. You want it in a "Yes" state, so that CAE is in effect and changes in network location are evaluated immediately.

You can also filter the logs via the "Is CAE token" field.

Atanas Malakov Convergys / Conccentrix 21 Reputation points

2023-03-31T17:52:20.95+00:00

Checked for the value of the "Continuous access evaluation" field and it is "No". Does it mean that MFA overrides the CA policy? What can I do here?

Vasil Michev 95,671 Reputation points MVP

2023-04-01T06:59:33.3166667+00:00

That would be my guess, yes.

Atanas Malakov Convergys / Conccentrix 21 Reputation points

2023-04-04T09:44:22.83+00:00

Is there an official article explaining this statement?
Sign in to comment