Using conditional access to not require MFA inside your trusted Named Locations

not require MFA inside your trusted Named Locations

This guide is useful as if you are rolling out OneDrive and Seamless Single Sign On via GPO, Microsoft do not support MFA/2FA with OneDrive and Seamless Single Sign On via GPO which causes the SSSO to fail and OneDrive to never login. However following the below steps can ensure that users are kept secure with MFA but also are allowed to SSSO inside the trusted names locations you specify.

Login to Azure Active Directory as a Global Administrator

2021 01 15 15 46 22 Home Microsoft Azure InPrivate Microsoft​ Edge

Scroll down the left panel and select Security

2021 01 15 15 46 33 Venn Academy Trust Microsoft Azure InPrivate Microsoft​ Edge 1

Select Names Locations

2021 01 15 15 46 50 Security Microsoft Azure InPrivate Microsoft​ Edge

Click New Location

2021 01 15 15 46 57 Security Microsoft Azure InPrivate Microsoft​ Edge

Enter a Site Name and the Public IP range of the site you wish to exclude from MFA, you can find this here

2021 01 15 15 47 07 New named location Microsoft Azure InPrivate Microsoft​ Edge

Click Conditional Access in the left panel

2021 01 15 15 47 57 Security Microsoft Azure InPrivate Microsoft​ Edge

Click on your existing MFA Policy, If you dont already have one, follow this guide to create one.

2021 01 15 15 48 17 Conditional Access Microsoft Azure InPrivate Microsoft​ Edge

Click Conditions (If you do not have this option and it is greyed out this will be due to licensing, This feature required a minimum of Azure P1)

2021 01 15 15 48 26 MFA Policy Microsoft Azure InPrivate Microsoft​ Edge

Expand out Conditions as below, select Exclude and select the locations you wish to exclude.

2021 01 15 15 48 43 MFA Policy Microsoft Azure InPrivate Microsoft​ Edge 1

Now when users login to 365 inside the Named location they will not be prompted for 2FA.

If you found this article helpful, would you consider buying me a Coffee?

5 thoughts on “Using conditional access to not require MFA inside your trusted Named Locations

  1. Dear ICT Guy, I tried your steps but it is not working. Not able to do SSO. Devices are Hybrid Join on Azure. It is working for users without MFA SSO.

    1. Hey, what Azure license are you on this required a minimum of P1 to work. Also have you entered the correct public ip for your sites? Are they proxied at all?

  2. We are on Azure P1 License as we are Edu Tenant. I haven’t added the Public IP because ours are dynamic and not static. Is there any other work around other than adding IP. I was thinking if the device is Hybrid joined and exclude MFA only for OneDrive APP would that work?

    1. Hey, it’s not going to work for you if you are on dynamic ip addresses (what’s the reason for that in the first place when statics are like £1 per month?)

      You could exclude the OneDrive app from MFA if you are happy with that from a security perspective as it does leave a gaping hole in your security.

      Is your seamless single sign on working correctly when you go to https://outlook.com/own/YOURDOMAIN

      Personally I’d look at getting a static and adding it to the named locations.

  3. Hi, we are in the middle east and so static IPs are a bit expensive in this region. The SSO is working seamless without any issues when we go to https://outlook.office365.com. Its just the onedrive KFM and Teams. I logged in with a user without MFA and it worked.

Leave a Reply

Your email address will not be published. Required fields are marked *