How can we improve Azure Active Directory?

← Azure Active Directory

Block Azure MFA (cloud) Enrollment from External Networks

I feel like I have been to the end of Google and back and thought I'd just reach out to this feedback hub.

We would love the ability to block Azure MFA (cloud) enrollment from external networks with Azure Conditional Access Policies or another method.

It doesn't look like the "MFA Setup" page is a "Cloud App" to build conditions on...

My other thought is the ability to build out a dynamic group based on if a user has enrolled, but the Azure Dynamic group queries seem limited at this point.

66 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Shawn Pederson shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

13 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    This is needed. We've cobbled our own solution together using powershell to populate groups with enrolled and non-enrolled users, then blocked all external logins for non-enrolled users. To make it much easier to operate add support for dynamic groups that can match on MFA enrolment status (rather than powershell scripts that run for hours and sometimes fail).

  • KM commented  ·   ·  Flag as inappropriate

    Just a FYI you can do this now
    It’s available and works. Just setup a new conditional access policy.

    It’s a checkbox in the conditional access policy setup. Probably need at least AADP1 but not sure on that.

    Initial registration is restricted to on prem.

  • JP commented  ·   ·  Flag as inappropriate

    I agree with "Luke commented · January 21, 2019 3:20 AM " - its a massive loophole.

  • JasonR commented  ·   ·  Flag as inappropriate

    Agree with the above - we need a way of stopping an attacker who phishes credentials from registering MFA before the employee does.

  • Luke commented  ·   ·  Flag as inappropriate

    agree, this is a function we have been looking. If a user does not enroll in MFA there is nothing to stop a compromised account from enrolling on their behalf.

Azure Active Directory: Multi-factor Authentication

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice