Azure AD: MFA from Trusted Networks Only

TL;DR

This guide shows you how to restrict Multi-Factor Authentication (MFA) configuration in Azure Active Directory (AD) so it can only be done when users are connected to your corporate network. We’ll use Conditional Access policies and named locations.

Prerequisites

• An Azure AD tenant with Global Administrator or Security Administrator permissions.
• Azure AD Premium P1 license (required for Conditional Access).
• A defined corporate network IP address range(s).

Steps

1. Create a Named Location
   • In the Azure portal, navigate to Azure Active Directory > Security > Conditional Access.
   • Select Named locations from the left-hand menu.
   • Click + New location.
   • Give your location a descriptive name (e.g., ‘Corporate Network’).
   • Add your corporate network IP address ranges in the IP address ranges section. You can add multiple ranges if needed.
   • Click Save.
2. Create a Conditional Access Policy
   • In the Azure portal, navigate to Azure Active Directory > Security > Conditional Access.
   • Select + New policy.
   • Give your policy a descriptive name (e.g., ‘MFA Configuration – Trusted Networks Only’).
3. Configure Assignments – Users and Groups
   • Under Assignments > Users or workload identities, select the users or groups you want to apply this policy to. Typically, this will be ‘All users’ but consider a test group first.
4. Configure Assignments – Cloud Apps
   • Under Assignments > Cloud apps, select All cloud apps. This ensures the policy applies to MFA registration attempts across all applications.
5. Configure Conditions – Locations
   • Under Conditions > Locations, set Configure to Yes.
   • Select Any locations and then exclude All trusted locations.
   • Add the named location you created in step 1 (e.g., ‘Corporate Network’). This means the policy will *only* apply when users are NOT connecting from this network.
6. Configure Access Controls – Grant
   • Under Access controls > Grant, select Block access. This prevents MFA registration attempts outside of your trusted network.
7. Enable the Policy
   • Ensure Enable policy is set to On.
   • Click Create.
8. Testing (Important!)
   • Test the policy thoroughly from both inside and outside your corporate network.
   • From *outside* the network, users should be blocked from configuring MFA.
   • From *inside* the network, users should be able to configure MFA as normal.

Troubleshooting

• Sign-in Logs: Check Azure AD sign-in logs for Conditional Access policy failures. This will provide details about why a user was blocked.
• Named Location Accuracy: Verify that the IP address ranges in your named location are correct and cover your entire corporate network.
• Policy Conflicts: Ensure there aren’t other Conditional Access policies interfering with this one.