Friday, March 31, 2017

Exempt MFA from Corporate network using Azure and ADFS Claim Rules

In this blog we will see how to Exempt MFA additional security for the users from Corporate network and using ADFS Claim Rules.

What is MFA ?

Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a second layer of security to user sign-ins and transactions

IP Whitelist allows administrators to add an extra level of security and convenience by only requiring users to perform MFA when accessing resources from outside their corporate network. This can be done two ways:

Whitelisting of IP addresses: White-listing of IP Address in Azure portal.

Configuring claim rules in AD FS: Configure ADFS Claim rules to Exempt MFA from Corporate Network

Whitelisting of IP addresses

Login in to

Select Active Directory in the below screen.

Once you select Active Directory search for Office and select Exchange from the below screen.

Select Configure in the Below screen.

Enable Access Rules : ON

Apply to : Depending up on your requirement select All users/Groups

 Rules : Requires MFA when not at work. it will only prompt MFA when users try to access from outside the corporate network.

Rules : Under rules select "click here to define/edit your work network location. it will redirect to other page you have to list out all the Public IP Address of you work Network.

in the below screen under trusted IP's enter all the required IP's to Exempt user for MFA and click Save.

It might take 24 hours to Propagate in all the O365 servers.

ADFS Claim Rules to Exempt MFA

Open ADFS configuration Manager, Click on Edit Claim rules and create new claim rule.

Below is the Claim Rule

Hope this helps!!!!

No comments:

Post a Comment