Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Take the survey
Reply
Oletho
Level 1 Contributor
‎07-03-2019 11:06 PM
Level 1 Contributor
‎07-03-2019 11:06 PM

MFA IP whitelist not working after enabling Conditional Access policy

I also posted this question in MS Techcommunity here

 

A new requirement for CSP partners is enabling conditional access policies "Baseline policy: Require MFA for admins" and "Baseline policy: End user protection".

 

We already have MFA enabled/enforced for all end users and admins, with IP whitelist for main office and soho. That worked fine.

 

But after enabling those CA policies our IP whitelist stopped working. End users at the office are asked for MFA, and our O365 backup running with global admin credentials can no longer login.

 

I tried to create our main office public IP as a trusted location, but no luck.

 

As a quick fix i disabled the policies while digging into this.

 

Can anybody explain why this is happening?

Labels:
0 Kudos
3 REPLIES 3
Philipp
Level 2 Contributor
‎07-04-2019 02:52 AM
Level 2 Contributor
‎07-04-2019 02:52 AM

Hello Oletho, because the baseline policies override your trusted locations /excluded MFA IPs and enforce MFA even for those locations and your backup service account. Since you have CA already implemented you have a MFA configuration. Unfortunately Microsoft overshot with these requirements and it is unclear if CA with Trusted Networks will be excluded. Currently you have 2 options, as most of us do: 1) Keep you CA System running as long as possible and see if Microsoft changes its view on MFA requirements. 2) Migrate CA to Baseline Policies or adapt the concept of the baseline policies within you CA configuration. In this way you would also have to contact your backup solution provider so he updates his backup solution to be compliant with MFA requests or adapt the secure application modell outlined within the guide.
KeesMeerkerk
‎07-04-2019 06:21 AM
Visitor 1
In response to Philipp
‎07-04-2019 06:21 AM

We have already MFA enabled for all our Admin accounts and internal users. We have the following problems with enabling the Conditional Access Policies

 

- There is no option to exclude some accounts, how can we get that option?

- Enabling the CA policies overwrites existing location whitelists, how can we solve this issue?

- The Baseline policies are Preview, must we use preview products in our Production environment

 

Thanks in advance,

idwilliams
Moderator
‎07-13-2019 07:17 AM
Moderator
In response to KeesMeerkerk
‎07-13-2019 07:17 AM

The baseline policies are just one way the partner security requirements can be fulfilled. If you are using conditional access or another method to enforce MFA, then you do not have to enable the baseline policies. Finally, given the highly privileged nature of being a partner, especially a CSP, we need to ensure that every single authentication has an MFA challenge. It does not matter if the baseline policies or conditional access is being used to enforce MFA, each user must be challenged. Conditional access cannot be used to avoid authenticating using MFA when access Microsoft commercial cloud service services.

0 Kudos
Follow Us
    Share