Conditional Access : require MFA when Connecting from untrusted IPs

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email
Table of Contents

introduction

in previous article we have seen how to BLOCK sales department to connect office.com from outside Saudi Arabia 

this article : we will see how to require MFA ( Multi Factor Authentication ) for HR department when connecting from untrusted IP address 

Pioneers OBS

before stat apply Conditional Access : we need to understand the Organization Breakdown Structure for company Pioneers OBS 

 

For Better View > Open Image in different TAB
For Better View > Open Image in different TAB
For Better View > Open Image in different TAB
For Better View > Open Image in different TAB
For Better View > Open Image in different TAB
For Better View > Open Image in different TAB

company requirements

company pioneers has the following requirements 

  • any user from HR department who access from outside Saudi Arabia , from any platform should be registered with Multi Factor Authentication  MFA 

define trusted IPs

organization Pioneers101 need to trust any connection from company Public IPs >> otherwise it should be registered with MFA 

the first step is to define our trusted IPs

configure MFA trusted IP
set your company IPs
more options
trusted IPs updates

Create Conditional Access Policy

NOW it is time to create policy to require  HR department to access office 365 from outside saudi arabia using MFA 

select condition access >> policies >> create policy 

new policy
set policy name >> select HR group
select ALL Apps
select ALL location , but exclude trusted IPs
select ALL location , but exclude trusted IPs
select ALL location , but exclude trusted IPs
the action is grant Access >> But require MFA
enable policy + create
policy created successfully

how policy applied

user natali@networkspioneers.com is member of HR group (please check organization OBS above ) 

user NAtali connect to office.com from united sta (outside Saudi Arabia ) which of course using NOT company trusted IP

let us to see whet will happened 

user connecting from USA
provide user name
provide password
your organization require MFA since you ar econnecting from untrusted IPs
select microsoft Auth App
user scan QR
approve from microsoft auth App
MFA registered successfully
when user login to https://myaccount.microsoft.com >> security info >> microsoft oauth app is registered

conclusion

this article we  have seen how to require group HR to access ofice.com outside with Untrusted IP with MFA  

next article we will apply conditional access policy with different requirements 

please be tuning 

Share this post
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

About Me

Maher Mustafa islaieh

Our Power in Numbers

 17 

Courses

321

Articles

3,882

Images
and All configurations images are proudly made in Pioneers Lab

Articles By Course

Recent Articles

Subscribe

Contact us

have a challenge ? don’t hesitate to contact us