Register for Azure AD MFA from Known Networks Only

I worked with a customer recently who had a lot of global users who were not always on their corporate network. They decided to implement Azure AD MFA, and requested that everyone should register their security information to be able to use MFA.

This is did a certain security risk in that they could not restrict where those user registrations were coming from. What is someone else in another country tried to register for MFA before they did?

Well now, we can restrict those registrations to only coming from our corporate network, or networks we know about.

To do this, we go to Azure AD and click on Conditional Access under Security

Create a new Conditional Access policy;

Give the policy a name, like Azure MFA Registration

Click on Cloud Apps or Actions and then toggle to User Actions, tick on Register Security Information.

Skip down to Conditions and select Location

Toggle Configure to Yes.

On the Include tab select All Locations

On the Exclude tab select Trusted Locations

What this will do is include any location that is not in your Trusted Locations (you will need to have defined that previously)

Click Done twice

We then scroll down to Access Controls, click on Grant and then choose Block

Click on Done

We then just need to toggle Enable Policy to On. Once that is completed you should be able to click Create

With this deployed, any users who need to register for Azure MFA or Self Service Password Reset must be on a network location that you have defined in Trusted Networks, which can be done by adding them to Named Locations and marking them as Trusted.

Leave a Reply

Your email address will not be published. Required fields are marked *