![]() Usually you'll want to skip MFA for users logging on when they are physically on site. Conditions > Client apps > Browser and Mobile apps and desktop clients. ![]() Conditions > Locations > Include Any, Exclude trusted locations (or populate the list yourself with your on-premises public IP address).Cloud apps or actions > User actions > Register security information.If an account has been compromised and is also set to require MFA, for example "Require MFA for all sign-in attempts from outside the UK", but the user hasn't set up MFA yet then the first thing an attacker is going to see when signing in from another country is the MFA setup screen, where they will set up their own authenticator app on the compromised account. It's crucial that you restrict the MFA sign-up process to trusted locations only. ![]() the device is Azure AD registered, or joined, and is in a compliant state
0 Comments
Leave a Reply. |