You have probably researched tons of articles on how to Bypass MFA With Conditional Access for a single user, group of users or users coming from named or trusted location. All these articles, including Microsoft support, have completely forgotten about one thing that is incredibly important to consider….

What if security defaults are turned off in the tenant?

If they are, then it doesn’t matter how you configure your conditional access rules to bypass MFA for a user, group, named location, trusted location, etc. It is not going to work. You may have security defaults in your tenant turned off for a variety of reasons and believe me they are all valid! Microsoft likes to make things difficult and keep us guessing constantly. It is very frustrating.

In this article I will show you how to prepare your tenant to start using condition access to bypass MFA and set the Conditional Access Policy. Remember, a good MFA Strategy is key. Without further ado, here we go.

Leave Security Defaults Off For Now

As I mentioned before earlier in the post, your tenant may have security defaults turned off for a good reason. Turning it on without knowing the full extent of what it could do could be quite disastrous for the organization (not to mention your Help Desk might get overwhelmed). Turning it on disables using per-User MFA but turns MFA on for the entire organization. You may have a service account(s) or user accounts who for some reason cannot use MFA. Those users will no longer be able to login. Leave it off until you know for sure!!!

Why Would You Want to Bypass MFA

For example, you have an organization that has a corporate office network but lets people work outside of it wherever they want. This will apply to any company who has a work from home policy or employees who travel outside the office a lot.

Configure a Named Location

Being in the office you should always be logging in from the same group of Ip addresses. If not, you are getting your IP dynamically from your ISP. Pay a little extra and you can get a static one. Unfortunately, if you use the cloud only for M365 this is the only way you can Bypass MFA with conditional access.

If you want to use internal IP address of your company to do this, you will need an on prem MFA server and use trusted IP’s from multi-factor authentication service settings

You can create a named location by going to it in Microsoft Entra Admin.

Click “+ New IP ranges”. A new section will pop up on the right. This is where you will add your IP Range. Click the “+” button:

This will pop up:

This is where you will get to add your IP range. You will have to know a little bit about CIDR notation. You cannot specify a single IP address. It has to be a block. If it is only one IP people will be logging in from the office then you can specify the IP address with /27 (i.e. 40.77.182.32/27) but if you are not sure, find out from your network admin or ISP what block to use.

Create The Policy to Bypass MFA with Conditional Access

You will need to go into  The Microsoft Entra Admin center / Conditional Access / Policies to begin:

Click on “+ New Policy”.

Give your policy a name like the example above. Click on the user’s assignment and on the right, you will see which users to add or exclude from this policy. For this example, we are going to only use the include tab. You can select all users but if you want to test first, choose “select Users and Groups” and only add a few users or a test group you have previously created.

Next, go to the target resources assignment, go to the include tab and choose all cloud apps:

You might not be sure of exactly all the apps you use in your organization, but it is safe to include them all. Next, go to the Conditions Assignment:

Click on Locations (Not Configured). The right pane will open giving you options to add “include” and “exclude” locations. Toggle configure, to yes and include all locations:

Click the Exclude Tab and click on Select locations:

Click “None” and choose the named located you specified earlier in the post:

Click on “Not configured” in the Client Apps assignment:

In the Flyout on the right, toggle configure to “Yes” and choose Browser and Mobile apps and Desktop Clients:

NOTE: You shouldn’t be using Legacy clients at this point.

Click on the Grant Assignment and make sure “Grant Access” and require multifactor authentication is checked:

To test this policy, you would move the toggle under the Save button to “report only” to make sure it is functioning correctly. When you are satisfied, as with all conditional access policies, you would toggle it to “On.

The Result of Bypass MFA With Conditional Access

When a user signs in form an IP other than the trusted IP’s you specified in the conditional access policy, the user will be prompted for MFA. This is a good policy because it works for users who also travel locally and abroad. Just remember the one tip I mentioned at the beginning of the post! This is the best way to Bypass MFA With Conditional Access.

Please leave this field empty

Don’t miss these tips!

Email Address *

We don’t spam! Read our privacy policy for more info.

Thanks for Subscribing to Quick IT Tips! Check your inbox or spam folder to confirm your subscription.

Dan

I am an IT professional with over twenty years experience in the field. I have supported thousands of users over the years. The organizations I have worked for range in size from one person to hundreds of people. I have performed support from Help Desk, Network / Cloud Administration, Network Support, Application Support, Implementation and Security.