MFA enrollment and Conditional Access

Question

MFA enrollment and Conditional Access

berketjune2012 376

Hello I have two questions regarding enrolling in MFA on Azure/Office 365:

1) If there is a conditional access policy to not enforce MFA from a trusted location, would this apply to initial registration as well? In other words If I enable and enforce MFA for a user for the first time, will he or she be prompted to enroll if they are coming in from a trusted location which would normal bypass MFA because of Conditional Access.

2) Can a user self enroll in MFA if MFA has not be enabled/enforced in the backend portal in Azure?

Thanks

1 answer

Your answer

Answer 1

Carlos Solís Salazar 18,196 MVP Volunteer Moderator

Hi @berketjune2012

Thank you for asking this question on the **Microsoft Q&A Platform. **

Yes, you can create Conditional access, the users must have a license of Azure AD P1 or P2.
To allow self-enrollment the user must have the MFA enabled

Hope this helps,
Carlos Solís Salazar

----------

Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.

NOTE: To answer you as quickly as possible, please mention me in your reply.

berketjune2012 376 Reputation points

2022-04-07T01:09:36.247+00:00

@Carlos Solís Salazar would MFA initial registration work if conditional access is set to exclude MFA for trusted location?
Carlos Solís Salazar 18,196 Reputation points MVP Volunteer Moderator

2022-04-07T01:39:09.63+00:00

@berketjune2012

Yes,

Sign-ins from trusted named locations improve the accuracy of Azure AD Identity Protection's risk calculation, lowering a user's sign-in risk when they authenticate from a location marked as trusted. Additionally, trusted named locations can be targeted in Conditional Access policies. For example, you may restrict multi-factor authentication registration to trusted locations.

Also,

You can also configure IP address ranges representing your organization's local intranet in the multi-factor authentication service settings. This feature enables you to configure up to 50 IP address ranges. The IP address ranges are in CIDR format. For more information, see Trusted IPs.
If you have Trusted IPs configured, they show up as MFA Trusted IPs in the list of locations for the location condition.

Go in here for more details Using the location condition in a Conditional Access policy

Hope this helps,
Carlos Solís Salazar

----------

Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.

NOTE: To answer you as quickly as possible, please mention me in your reply.
Carlos Solís Salazar 18,196 Reputation points MVP Volunteer Moderator

2022-04-09T00:05:12.04+00:00

@berketjune2012 , you can Accept Answer and Upvote, if the above response helped answer your query, others visiting the forum with the same query might get help.

NOTE: To answer you as quickly as possible, please mention me in your reply.

Share via

MFA enrollment and Conditional Access

1 answer

Your answer