MFA IP whitelist not working after enabling Conditional Access policy
I also posted this question in MS Techcommunity here
A new requirement for CSP partners is enabling conditional access policies "Baseline policy: Require MFA for admins" and "Baseline policy: End user protection".
We already have MFA enabled/enforced for all end users and admins, with IP whitelist for main office and soho. That worked fine.
But after enabling those CA policies our IP whitelist stopped working. End users at the office are asked for MFA, and our O365 backup running with global admin credentials can no longer login.
I tried to create our main office public IP as a trusted location, but no luck.
As a quick fix i disabled the policies while digging into this.
Can anybody explain why this is happening?
We have already MFA enabled for all our Admin accounts and internal users. We have the following problems with enabling the Conditional Access Policies
- There is no option to exclude some accounts, how can we get that option?
- Enabling the CA policies overwrites existing location whitelists, how can we solve this issue?
- The Baseline policies are Preview, must we use preview products in our Production environment
Thanks in advance,
The baseline policies are just one way the partner security requirements can be fulfilled. If you are using conditional access or another method to enforce MFA, then you do not have to enable the baseline policies. Finally, given the highly privileged nature of being a partner, especially a CSP, we need to ensure that every single authentication has an MFA challenge. It does not matter if the baseline policies or conditional access is being used to enforce MFA, each user must be challenged. Conditional access cannot be used to avoid authenticating using MFA when access Microsoft commercial cloud service services.