Microsoft Azure Active Directory Conditional Access and Dynamics 365: Enforce multi-factor authentication


With Azure Active Directory Conditional Access, you can control how authorized users can access your cloud applications. Multi-factor authentication (MFA) is a method of authentication that requires more than one verification method and adds a second layer of security to sign-ins.

Azure AD is Microsoft’s cloud-based identity and access management service. It is intended for app developers and Microsoft 365, Azure, or Dynamics 365 subscribers. So, each Dynamics 365 tenant is automatically an Azure AD tenant.

No setup is required from the D365 administrator side. However, while logging in, users need to provide authentication credentials, for example providing a contact number to receive a message or phone call.

We had a client requirement that whenever any user tries to access D365 or Office 365 services from the outside company network, they needed to be prompted for MFA. By contrast, if the services are being accessed from within company network it shouldn’t prompt for MFA because the network is trusted.

Solution

In this article, we will see how to create conditional access to enforce MFA, if the user is accessing services from the untrusted location (outside of the company’s network).

Pre-requisites

  1. You will require an Azure AD Premium license for users
  2. Create a security group and add the users you need to specify in the policy
  3. Set the company’s public static IP in CIDR format, for example – 15.250.0.89/24. You can contact your network team to get this detail.

No other IT considerations are required except the pre-requisites.

Trusted locations

1. Configure MFA trusted IPs in Azure AD.

 2. Provide your company’s public static IP in CIDR format.



Source link