We have a large service desk and by policy (for security of our clients) our agents are not allowed mobile phones at their desk. They also do not have DDI's on our PBX.
Are we able to use Named Locations in Azure AD Conditional Access to exclude the requirement for MFA based on the IP address of our office *AND* still remain complaint with the Partner Security Policy?
I know this was forever ago, but I'm bumping this, because I would like an answer as well. I believe the answer is "no" based on what I'm reading:
Can conditional access be used to meet the MFA requirement?
Yes, you can use conditional access to enforce MFA for each user, including service accounts, in your partner tenant. However, given the highly privileged nature of being a partner we need to ensure that each user has an MFA challenge for every single authentication. This means you will not be able to leverage feature of conditional access that circumvent the requirement for MFA.
Also, this from the FAQ:
Issue 4: Partner cannot implement MFA using MS Authenticator App
A partner has “clean desk" policy which does not permit employees bringing their personal mobile devices to their work area. Without access to their personal mobile devices, the employees cannot install the MS Authenticator App, which is the only MFA verification supported by Azure AD baseline policies. Is this a valid reason for technical exception?
Answer: No, this isn't a valid reason for technical exception. The partner should consider following alternatives, so that their employees can still complete MFA verification when accessing Partner Center:
- Other than MS Authenticator App, Azure AD baseline policies can also be used with 3rd party, compatible Authenticator App, which may be supported Windows computers running Microsoft Windows.
- Partner can also sign up for Azure AD Premium or 3rd party MFA solutions (compatible with Azure AD) which can provide additional verification methods.