Skip multifactor authentication for requests from following range of IP address subnets gets ignored

nettech 171 Reputation points
2024-09-30T23:49:55.4033333+00:00

Hi,

We have MFA enforced on all of our user and "Skip multifactor authentication for requests from following range of IP address subnets" is set up with our Public IP address. (Configured under Per-user multifactor authentication)

When users access azure portal from home they are prompted for user id, password and MFA this is working as expected, at the office everyone is getting MFA prompt despite having our WAN IP configured as an exclusion.

What else could be missing?

Thank you!

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
6,884 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,884 questions
Microsoft Entra
0 comments No comments
{count} votes

Accepted answer
  1. Sandeep G-MSFT 19,196 Reputation points Microsoft Employee
    2024-10-03T04:18:47.4633333+00:00

    @nettech

    Thank you for posting this in Microsoft Q&A.

    As I understand you have configured MFA settings to prompt for MFA only when users are accessing Azure resources from external network (Internet). Users should not be prompted for MFA when accessing Azure resources from internal network.

    You can try to achieve this by configuring a conditional access policy in Azure.

    You can define a conditional access policy by mentioning IP addresses range which should prompt for MFA while accessing Azure resources. You can configure this in Named locations in Conditional access policy. Once you create Named locations you can use this Named location in the conditional access policy that you create.

    You can follow below article to configure CA policy with named locations using network IP ranges for MFA prompts.

    https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.