Using conditional access to not require MFA inside your trusted Named Locations
This guide is useful as if you are rolling out OneDrive and Seamless Single Sign On via GPO, Microsoft do not support MFA/2FA with OneDrive and Seamless Single Sign On via GPO which causes the SSSO to fail and OneDrive to never login. However following the below steps can ensure that users are kept secure with MFA but also are allowed to SSSO inside the trusted names locations you specify.
Login to Azure Active Directory as a Global Administrator
Scroll down the left panel and select Security
Select Names Locations
Click New Location
Enter a Site Name and the Public IP range of the site you wish to exclude from MFA, you can find this here
Click Conditional Access in the left panel
Click on your existing MFA Policy, If you dont already have one, follow this guide to create one.
Click Conditions (If you do not have this option and it is greyed out this will be due to licensing, This feature required a minimum of Azure P1)
Expand out Conditions as below, select Exclude and select the locations you wish to exclude.
Now when users login to 365 inside the Named location they will not be prompted for 2FA.
Dear ICT Guy, I tried your steps but it is not working. Not able to do SSO. Devices are Hybrid Join on Azure. It is working for users without MFA SSO.
Hey, what Azure license are you on this required a minimum of P1 to work. Also have you entered the correct public ip for your sites? Are they proxied at all?
We are on Azure P1 License as we are Edu Tenant. I haven’t added the Public IP because ours are dynamic and not static. Is there any other work around other than adding IP. I was thinking if the device is Hybrid joined and exclude MFA only for OneDrive APP would that work?
Hey, it’s not going to work for you if you are on dynamic ip addresses (what’s the reason for that in the first place when statics are like £1 per month?)
You could exclude the OneDrive app from MFA if you are happy with that from a security perspective as it does leave a gaping hole in your security.
Is your seamless single sign on working correctly when you go to https://outlook.com/own/YOURDOMAIN
Personally I’d look at getting a static and adding it to the named locations.
Hi, we are in the middle east and so static IPs are a bit expensive in this region. The SSO is working seamless without any issues when we go to https://outlook.office365.com. Its just the onedrive KFM and Teams. I logged in with a user without MFA and it worked.