Block Azure MFA (cloud) Enrollment from External Networks
I feel like I have been to the end of Google and back and thought I'd just reach out to this feedback hub.
We would love the ability to block Azure MFA (cloud) enrollment from external networks with Azure Conditional Access Policies or another method.
It doesn't look like the "MFA Setup" page is a "Cloud App" to build conditions on...
My other thought is the ability to build out a dynamic group based on if a user has enrolled, but the Azure Dynamic group queries seem limited at this point.
Sorry for the delay in responding but you can do this today.
This is needed. We've cobbled our own solution together using powershell to populate groups with enrolled and non-enrolled users, then blocked all external logins for non-enrolled users. To make it much easier to operate add support for dynamic groups that can match on MFA enrolment status (rather than powershell scripts that run for hours and sometimes fail).
Just a FYI you can do this now
It’s available and works. Just setup a new conditional access policy.
It’s a checkbox in the conditional access policy setup. Probably need at least AADP1 but not sure on that.
Initial registration is restricted to on prem.
Need this as well
We also Need this State of NEvada
Eric Frazee commented
any fix from MS on this yet?
Korrow, Brian commented
need this yesterday.
I agree with "Luke commented · January 21, 2019 3:20 AM " - its a massive loophole.
Daryl W. Clark commented
This is a must for this to be a viable solution
We also require this functionality to avoid the scenarios listed already.
Agree with the above - we need a way of stopping an attacker who phishes credentials from registering MFA before the employee does.
agree, this is a function we have been looking. If a user does not enroll in MFA there is nothing to stop a compromised account from enrolling on their behalf.