In this Short article, I will explain some scenarios for enabling Conditional Access For MFA, Recently i start to see a lot of customers using Azure Condition Access (CA) For MFA, The most scenario i saw that after enabling Azure CA for MFA and if the Environment is federated (AD FS deployed) then MFA not skipped for internal users assuming that Skip MFA for Requests From Federated users on my intranet” is enabled in MFA portal.
First of all, before discussing the Scenarios, You need to have Office 365 as relying party in AD FS, also you need to make sure that AD FS issuing the insidecorporatenetwork claim as below:
if you don’t have this claim, you can simply add it, below is the syntax:
c:[Type == “http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork”]
=> issue(claim = c);
If you are looking in how to federate your domain with AD FS, refer to this good article: https://blogs.technet.microsoft.com/rmilne/2017/04/28/how-to-install-ad-fs-2016-for-office-365/
Assuming that AD FS is configured correctly, let’s discuss below scenarios:
Scenario 1: the domain is federated using AD FS, No conditional access configured, only “Skip MFA for Requests From Federated users on my intranet” option Enabled from MFA portal as below snapshot:
In this case and as you may know, AD FS will send a claim “insidecorporatenetwork” to Azure to determine if the request is internal or external, for example if the request came from the internal network we can see that AD FS issued the insidecorporatenetwork claim with value “True” which means that the request came from internal which will not trigger MFA based on the option we selected before to Skip MFA for internal requests:
<saml:Attribute AttributeName=”insidecorporatenetwork” AttributeNamespace=”http://schemas.microsoft.com/ws/2012/01″ a:OriginalIssuer=”CLIENT CONTEXT” xmlns:a=”http://schemas.xmlsoap.org/ws/2009/09/identity/claims”>
<saml:AttributeValue b:type=”tn:boolean” xmlns:tn=”http://www.w3.org/2001/XMLSchema” xmlns:b=”http://www.w3.org/2001/XMLSchema-instance”>true</saml:AttributeValue>
Scenario 2: the domain is federated using AD FS, there is a conditional access to require MFA from any location except MFA trusted IP’s (Preview Feature) as below, also “Skip MFA for Requests From Federated users on my intranet” option Enabled
In this Scenario, MFA will be skipped for internal users and will triggered for external users.
Scenario 3: Same as scenario 2 except that “Skip MFA for Requests From Federated users on my intranet” is NOT enabled, then MFA will be triggered internally and externally
Scenario 4 ( I saw it in a lot ): the domain is federated using AD FS, there is a conditional access to require MFA from any location except MFA trusted IP’s (Preview Feature) as below, also “Skip MFA for Requests From Federated users on my intranet” option Enabled, but here assuming that we turned off the configuration for location in the CA, so CA configured but without configure the location as below:
“Skip MFA for Requests From Federated users on my intranet” option will not have any effect here and MFA will be triggered for internal and external users.
Scenario 5: If you choose in CA to exclude the trusted IP’s, then you can specify it in MFA portal as below, this will skip MFA for all request came from the public IP 220.127.116.11/32 :
Ahmad Yasin is a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.