AAD MFA和混合加入的设备位于不受信任的位置 [英] AAD MFA and hybrid joined devices in untrusted location
问题描述
我们正在使用Azure AD云MFA,我们的Windows 10设备在Azure AD中混合使用。 MFA已使用条件访问进行配置。
因此,使用支持的浏览器访问Office 365时,系统不会提示用户输入MFA代码( Edge,IE)。我有两个问题:
- 这种行为(MFA通过CA使用混合加入设备)是否记录在官方Microsoft文档中?我只能找到第三方文档。
- 虽然此行为适用于受信任的在使用不受信任位置的设备访问O365时,我仍然需要MFA提示。我怎样才能做到这一点?
非常感谢你的帮助!
亲切的问候
根据您的文档请求,本指南可能对您有所帮助。 https://docs.microsoft .com / zh-CN / azure / active-directory / conditional-access / require-managed-devices
另请参阅: https://docs.microsoft.com/en- us / azure / active-directory / conditional-access / untrusted-networks
如果您选中了复选框,则可能不需要MFA,"跳过请求的多因素身份验证来自我的Intranet上的联合用户。对来自以下IP地址子网范围的请求跳过多因素身份验证。"
为了安全起见,您可以添加基线保护,以便为每个人提供MFA。 https:// docs .microsoft.com / EN-US /天青/有源目录/条件访问/基线保护
We are using Azure AD cloud MFA and our Windows 10 devices are hybrid joined in Azure AD. MFA has been configured using Conditional Access.
As a result, our users are not prompted to enter an MFA code when accessing Office 365 using a supported browser (Edge, IE). I have two questions about this:
- Is this behavior (MFA through CA using hybrid joined devices) documented in official Microsoft documentation? I was only able to find 3rd party documentation.
- While this behavior is fine for trusted locations, I still want an MFA prompt when accessing O365 using the devices in an untrusted location. How can I achieve this?
Thank you very much for your help!
Kind regards
Per your request for documentation, this guide might be helpful for you. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-devices
See also: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/untrusted-networks
It's possible that it is not requiring MFA if you have checked the box, "skip multi-factor authentication for requests from federated users on my intranet. Skip multi-factor authentication for requests from following range of IP address subnets."
To be on the extra safe side, you can add Baseline Protection to require MFA for everyone. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/baseline-protection
这篇关于AAD MFA和混合加入的设备位于不受信任的位置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!