Skip MFA for intranet users in Office 365

By Cesar Hara and Agustin Gallegos

 

Greetings everyone, in today’s article we will cover how to skip MFA for intranet users in Office 365, this can be achieved if you have or not a federated domain environment (ADFS).

We will not cover “Conditional Access” from AAD Premium suite in this article, but be aware this can be done through there too.
UPDATE: The "trusted IPs" option is only available for paid subscriptions like AADP, EMS or full MFA, check on this article for more details.

 

1- Lets make sure the required option is enabled in the MFA portal, select the option “Skip multi-factor authentication for requests from federated users on my intranet”:

 

2- The next step is to create or verify if the rule “Inside Corporate Network” is created for your O365 relaying party trust on your ADFS server.

On the RP properties click on “Add Rule” if the rule does not exist:

 

On the Add Transform Claim Rule Wizard, select “Pass Through or Filter an Incoming Claim” from the drop-down and click Next:

 

Name your rule and from the drop-down, next to “Incoming claim type”, select “Inside Corporate Network”:

 

Click “Finish” and “Ok” on the next page.

 

3- Test internally if the MFA will be skipped now.

4- If you don’t have a federated environment, you can add the company list of public IP into the field of “Skip multi-factor authentication for requests from following range of IP address subnets” of image in step 1. This will skip MFA regardless if the user is federated or managed, once the request comes from a whitelisted IP.

 

Hope this clarifies how you can simply achieve this goal. Cheers!!!

Comments

  • Anonymous
    September 18, 2018
    Great post !