I’ve been working with MFA on my recent projects where the clients want to leverage conditional access. The objective was a to bypass MFA when the users are on corporate network or on any of the trusted IPs. Pretty simple. Right?
I create a few Named locations to simplify trusted locations.
I create a conditional access policy with these settings:
- Assign to two specific users (initial testing – avoid impact on all users)
- Only Exchange Online is selected (once again – initial testing)
- Apply to Any location exclude Named locations
- Grant access – Require multi-factor authentication
I run through What if to validate the policy. All is working as expected.
My two test users set up their MFA methods.
Test user 1: Megan – OneWaySMS (text message) as indicated by MethodType:5
Test user 2: Raul – TwoWayVoiceMobile (phone call) as indicated by MethodType:0
Both user are on the same corporate network. Megan launches OWA – no MFA prompt. This achieves the objective above. However, when Raul launches OWA, he is prompted for MFA.
Why does the same conditional access policy apply to Megan but not Raul?
The difference is how a user is enabled for MFA. Here you can see that Megan’s MFA status is set to disabled while Raul’s is set to enforced.
Enabling and enforcing MFA for users using this traditional method requires users to perform a two-step verification every time they sign in and overrides conditional access policies.
If you’re trying to bypass MFA while on corporate or a trusted network, let conditional access do the work for you – by prompting users for MFA to access your Office 365 applications when they are outside of your network, instead of enabling and enforcing MFA using the traditional method.
Thanks for reading!