Azure Conditional Access Policies allow external IP locations to not require MFA

Question

Hi we use a third party LDAP service (Foxpass) which needs delegated authentication and use the MS OAuth. I need to ensure Foxpass is excluded from MFA during sign-in requests to its servers the IP's are added as a location.
Under the Grant or Session to enable the policy to exclude the IP ranges in locations what do I need to select please.
So Session or Grant and if Grant block or grant access? and what options to apply please.

Answer 1

Hi @Robert Frost ,

Based on your description, I understand that you are looking to exclude certain IP ranges from requiring multi-factor authentication when accessing a third-party LDAP service.

To achieve this, you can add configure multifactor authentication trusted IPs/Named Locations to exclude certain locations from MFA.

Then, if you have an MFA policy that is requiring MFA, you can ensure that the LDAP service is excluded from the policy under Cloud apps or actions > exclude , and the IP ranges can be excluded under Conditions > Locations > Exclude. Then you would go to Access Controls > Grant Access > Require multifactor authentication to ensure that the MFA is required for everyone else.

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa

Let me know if this helps and if you have further questions. I'm happy to discuss this in more detail.

If the information helped you, please Accept the answer. This will help us as well as others in the communtiy who may be researching similar issues.