使用条件访问强制实施MFA，我是否仍需要在Azure AD的“用户"窗格上启用MFA [英] using Conditional Access to enforce MFA, do i still need to enable MFA on the Users pane in Azure AD

问题描述

我想要实现的是，内部网络上的用户不需要用户MFA.

在Azure AD/条件访问中，我正在创建一个IP范围为例外的策略，然后向所有需要MFA的用户授予访问权限.

我是否仍需要为Azure AD的用户"部分中的所有用户启用MFA，否则这将覆盖我的策略吗?
并且用户是否还需要从(内部IP范围)位置使用MFA?

谢谢，
Franck

解决方案

您可以在MFA或条件访问中的命名位置中创建可信IP.创建与本地子网匹配的子网，然后允许访问这些子网.参考:位置 Active Directory条件访问中的条件

基于条件访问的MFA管理员切勿在条件访问策略之上启用该功能，否则您将绕过使用条件访问的原因. 
如果您要查找的话，条件访问策略应包括IP范围的例外.

请参阅本文，介绍启用的方法- https://docs.microsoft.com/zh-cn/azure/active-directory/authentication/howto-mfa-getstarted#choose-how-to-enable

通过更改用户状态启用-这是要求两步验证的传统方法.它可与云中的Azure MFA和Azure MFA Server一起使用.使用此方法需要用户每次执行两步验证 他们登录并覆盖条件访问策略.

由条件访问策略启用-这是为用户启用两步验证的最灵活的方法.启用使用条件访问策略仅适用于云中的Azure MFA，这是Azure AD的一项高级功能.

他们是查看MFA的两种不同方法，请选择其中一种方法进行两步验证，而不是同时进行.为用户启用Azure多重身份验证会覆盖所有条件访问策略.

------------------------------------------------- --------------------------------------------

如果此答案有帮助，请单击标记为答案"或上投票".提供其他反馈 在您的论坛体验中，点击 解决方案

"I want to achieve that the users do not need to user MFA when there on the internal network"

You can create Trusted IP's in MFA or Named Locations in Conditional Access. Create subnets that match on-premises subnets and then allow access to those subnets. Reference : location condition in Azure Active Directory conditional access

Conditional Access based MFA admins should never enable on top of the Conditional Access policy or you are bypassing the reason for using Conditional Access. 
Conditional Access policy should include exceptions for IP ranges if that is what you are looking for. 

Refer to this article calls out the ways to enable - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted#choose-how-to-enable

Enabled by changing user state - This is the traditional method for requiring two-step verification. It works with both Azure MFA in the cloud and Azure MFA Server. Using this method requires users to perform two-step verification every time they sign in and overrides conditional access policies.

Enabled by conditional access policy - This is the most flexible means to enable two-step verification for your users. Enabling using conditional access policy only works for Azure MFA in the cloud and is a premium feature of Azure AD.

They are two different ways of looking at MFA, choose one of these methods to require two-step verification, not both. Enabling a user for Azure Multi-Factor Authentication overrides any conditional access policies.

---------------------------------------------------------------------------------------------

If this answer was helpful, click "Mark as Answer" or "Up-Vote". To provide additional feedback on your forum experience, click here

这篇关于使用条件访问强制实施MFA，我是否仍需要在Azure AD的“用户"窗格上启用MFA的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！