Monday, October 1, 2018

Application accessed from untrusted location? Enforce #MFA through Conditional Access with #AzureAD

With Azure AD Conditional Access, you can control how authorized users’ can access your cloud applications. 

Multi-factor authentication (MFA) is a method of authentication that requires more than one verification method and adds a second layer of security to sign-ins.

Requirement –
I had a requirement to prompt for MFA if the user is trying to access Dynamics 365 (or other O365 services) from a location outside of the company network.

Solution –
In this article, we will see how to create conditional access to enforce MFA, if a user is accessing services from an untrusted location (outside of company’s network).

  • You will require Azure AD Premium license for users.
  •  Create a security group and add the users’ you need to specify in the policy.
  • Company’s public static IP in CIDR format. Example – (You can contact your network team to get this detail)

Trusted locations -
  1.  Configure MFA trusted IP’s in Azure AD (see below image).

  2.  Provide your company’s public static IP in CIDR format (check below image).

Conditional Access –

1.       Go to Azure AD > Conditional Access > +New Policy.

2.       Name the policy as UntrustedLocation_PromptMFA and the first thing to configure is Assignments in which you need to mention the User & Groups to be included in this policy (see below image).

3.       Select Dynamics CRM Online under Cloud Apps. You can similarly choose other applications as well (see below image)

4.       Under Conditions, you need to configure the Device state and client apps as per your requirements (see below images)
 In Location –
 Include - Any locations

 Exclude – Selected locations and then select MFA trusted IPs (see below image)

5.       In Access control > Grant Access, tick Require multi-factor authentication (see below image)

6.       Finally, Enable the policy and Save.

User specified in the group will be asked for MFA when accessing services from an untrusted location (outside the company’s network)

No comments:

Post a Comment

Change the default email address and anonymous user to send email to Public Folder

An Exchange public folder can be used by several people in Outlook Web App or in their local Outlook installations. It allows a group of us...