Block Azure MFA (cloud) Enrollment from External Networks
I feel like I have been to the end of Google and back and thought I'd just reach out to this feedback hub.
We would love the ability to block Azure MFA (cloud) enrollment from external networks with Azure Conditional Access Policies or another method.
It doesn't look like the "MFA Setup" page is a "Cloud App" to build conditions on...
My other thought is the ability to build out a dynamic group based on if a user has enrolled, but the Azure Dynamic group queries seem limited at this point.

Hey folks,
Sorry for the delay in responding but you can do this today.
Thanks,
@MarkMorow
13 comments
-
Anonymous commented
This is needed. We've cobbled our own solution together using powershell to populate groups with enrolled and non-enrolled users, then blocked all external logins for non-enrolled users. To make it much easier to operate add support for dynamic groups that can match on MFA enrolment status (rather than powershell scripts that run for hours and sometimes fail).
-
KM commented
Just a FYI you can do this now
It’s available and works. Just setup a new conditional access policy.It’s a checkbox in the conditional access policy setup. Probably need at least AADP1 but not sure on that.
Initial registration is restricted to on prem.
-
Anonymous commented
Here to
-
James commented
Need this as well
-
James commented
We also Need this State of NEvada
-
Eric Frazee commented
any fix from MS on this yet?
-
Anonymous commented
Need this.
-
Korrow, Brian commented
need this yesterday.
-
JP commented
I agree with "Luke commented · January 21, 2019 3:20 AM " - its a massive loophole.
-
Daryl W. Clark commented
This is a must for this to be a viable solution
-
Anonymous commented
We also require this functionality to avoid the scenarios listed already.
-
JasonR commented
Agree with the above - we need a way of stopping an attacker who phishes credentials from registering MFA before the employee does.
-
Luke commented
agree, this is a function we have been looking. If a user does not enroll in MFA there is nothing to stop a compromised account from enrolling on their behalf.