Azure Conditional Access Policies allow external IP locations to not require MFA

Robert Frost 0 Reputation points

Hi we use a third party LDAP service (Foxpass) which needs delegated authentication and use the MS OAuth. I need to ensure Foxpass is excluded from MFA during sign-in requests to its servers the IP's are added as a location.
Under the Grant or Session to enable the policy to exclude the IP ranges in locations what do I need to select please.
So Session or Grant and if Grant block or grant access? and what options to apply please.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,678 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 34,711 Reputation points Microsoft Employee

    Hi @Robert Frost ,

    Based on your description, I understand that you are looking to exclude certain IP ranges from requiring multi-factor authentication when accessing a third-party LDAP service.

    To achieve this, you can add configure multifactor authentication trusted IPs/Named Locations to exclude certain locations from MFA.

    User's image

    Then, if you have an MFA policy that is requiring MFA, you can ensure that the LDAP service is excluded from the policy under Cloud apps or actions > exclude , and the IP ranges can be excluded under Conditions > Locations > Exclude. Then you would go to Access Controls > Grant Access > Require multifactor authentication to ensure that the MFA is required for everyone else.

    Let me know if this helps and if you have further questions. I'm happy to discuss this in more detail.

    If the information helped you, please Accept the answer. This will help us as well as others in the communtiy who may be researching similar issues.

    0 comments No comments