With Azure AD Conditional Access, you can control how authorized users’ can access your cloud applications.
Multi-factor authentication (MFA) is a method of authentication that requires more than one verification method and adds a second layer of security to sign-ins.
I had a requirement to prompt for MFA if the user is trying to access Dynamics 365 (or other O365 services) from a location outside of the company network.
In this article, we will see how to create conditional access to enforce MFA, if a user is accessing services from an untrusted location (outside of company’s network).
- You will require Azure AD Premium license for users.
- Create a security group and add the users’ you need to specify in the policy.
- Company’s public static IP in CIDR format. Example – 220.127.116.11/24 (You can contact your network team to get this detail)
Trusted locations -
- Configure MFA trusted IP’s in Azure AD (see below image).
- Provide your company’s public static IP in CIDR format (check below image).
Conditional Access –
2. Name the policy as UntrustedLocation_PromptMFA and the first thing to configure is Assignments in which you need to mention the User & Groups to be included in this policy (see below image).
3. Select Dynamics CRM Online under Cloud Apps. You can similarly choose other applications as well (see below image)
4. Under Conditions, you need to configure the Device state and client apps as per your requirements (see below images)
In Location –
6. Finally, Enable the policy and Save.
User specified in the group will be asked for MFA when accessing services from an untrusted location (outside the company’s network)