Conditional Access – Step By Step Configuration Instructions – Part 3

Forcing Multifator Authentication Outside the Company Network

One of the most common scenarios is to force two-factor visualization for users who log in outside the corporate network.

The implementation of such a scenario requires two elements to be configured:

– define the IP address of our corporate network
– defining an MFA enforcing policy for connections outside this network

let’s go to the configuration:

Definiujemy sieć korporacyjną

In the Azure conditional access configuration panel, in the “Named Locations” tab, we define the list of IP addresses identifying our corporate network.

We configure the Conditional Access Policy

We enter the name of the policy, in our case “Require MFA from not Corporate Network”

Next, we define the user group that the policy covers.

We choose the “All users” option and in the “Exclude” tab we indicate the accounts or group of users who are to be excluded from the policy.

You can read more about the reasons for indicating exceptions here: What to remember when setting up conditional access policies

The next step is to define applications in the cloud that will be subject to restrictions. We choose “All cloud apps”. In the previous step, we excluded a special group of accounts from the policy, so there is no risk of blocking access to the environment.

In the “Conditions” section, we specify the condition under which the policy will require MFA for connections outside the defined corporate network. In “include” select “Any location”

And in “Exclude” our corporate network.

The policy will work for all connections outside our network.

Next we go to the “Conditions” section, so we go to the “Grant” section in the “Access controls” section, where we enable the requirement of two-component learning.

Policy configuration is ready, just enable it. From now on, all users connecting to a cloud application from outside the corporate network will need to take advantage of multi-component authentication. Users and groups specified in the “Exclude” section will be excluded from this condition.

As we remember, this is a protection against blocking access to cloud resources (also administrative panels)

Administrative Accounts Can Log In Only from the Corporate Network

As described in the configuration instructions, you need to set up a network that identifies all address classes in our corporate network. You can also see an example of the configuration in the previous example about enforcing MFA from outside the company network

Once we have a defined company network, we can go to policy configuration. Our goal is to limit logging in for administrative accounts outside the company network.

Definition of Administrative Roles

In the “Users and groups” tab, select the “Directory roles” option and select all administrative roles.

This configuration makes the policy independent of user names and groups. Regardless of which group the user belongs to, it is enough that he has an administrative role assigned and will be covered by the policy.

After defining the roles, we define the target applications. In this case, select “All cloud apps”

In the “Conditions” tab we specify additional conditions, i.e. in our case that the policy is to operate outside the corporate network.

So we enable the “Locations” condition and in the “Include” tab we mark “Any location”

And in the “Excludes” tab we add a defined company network:

The last step is to block all connections matching the conditions defined in this way.

Configuration is ready. Just turn it on.