Services accessed from Untrusted location? Enforce MFA!
Introduction:
With Azure AD Conditional Access, you can control how authorized users’ can access your cloud applications. In this article, we will see how to create conditional access to enforce MFA, if the user is accessing services from the untrusted location (outside of the company’s network).
Multi-factor authentication (MFA) is a method of authentication that requires more than one verification method and adds a second layer of security to sign-ins.
Requirement:
I had a requirement from a client to prompt for MFA if a user is trying to access Dynamics 365 (or other O365 services) from a location outside of company network.
Pre-requisites:
- You will require Azure AD Premium license for users.
- Create a security group and add the users’ you need to specify in the policy.
- Company’s public static IP in CIDR format. Example – 15.250.0.89/24 (You can contact your network team to get this detail)
Trusted locations:
- Configure MFA trusted IP’s in Azure AD (see below image).
- Provide your company’s public static IP in CIDR format (check below image).
Conditional Access:
- Go to Azure AD > Conditional Access > +New Policy
- Name the policy as UntrustedLocation_PromptMFA and the first thing to configure is Assignments in which you need to mention the User & Groups to be included in this policy (see below image).
- Select Dynamics CRM Online under Cloud Apps. You can similarly choose other applications as well (see below image)
- Under Conditions, you need to configure the Device state and client apps as per your requirements (see below images).
In Location: Include – Any locations
Exclude: Selected locations and then select MFA trusted IPs (see below image)
- In Access control > Grant Access, tick Require multi-factor authentication (see below image)
- Finally, Enable the policy and Save.
User specified in the group will be asked for MFA when accessing Office 365 services from an untrusted location (outside the company’s network).
Conclusion:
In this way, we can enforce MFA when Office 365 services are accessed from untrusted locations.