MFA White Listing

Summary

To enable Voleer to be able to use accounts that require multi-factor authentication, we recommend white-listing the Voleer worker server IP range. This will allow authentications from Voleer to bypass MFA while preserving normal MFA functionality for authentication requests not originating from Voleer.

Configuration 

Microsoft Azure has two levels of MFA configuration. Depending on your environment, you may need to configure one or both to properly enable MFA white listing. 

Azure AD MFA

The basic Azure AD MFA 

  1. Login to https://portal.azure.com
  2. Select Azure Active Directory from the navigation pane
  3. Select Users from the Azure AD navigation pane 
  4. Click Multi-Factor Authentication in the row of buttons at the top of the users list. If you do not see it in the row, click ...More and select from the drop down. 
  5. Click service settings under the multi-factor authentication title. 
  6. Add 52.148.161.160/28 to the Skip multi-factor authentication for requests from following range of IP address subnets textbox. 
  7. Click save

Conditional Access Policy

Azure AD Conditional Access Policies allow greater control over MFA and require Azure AD Premium P1 licensing on accounts the policies will apply to. If you have already configured one or more conditional access policies, you will need to review these policies and modify as appropriate for your given configuration.

For the instructions below, we will assume that you already have a policy created that requires MFA for the account(s) you would like to use. We will exclude those accounts from the your standard MFA policy and create a policy specifically for those accounts.

  1. Login to https://portal.azure.com 

  2. Select Azure Active Directory from the navigation pane 

  3. Select Conditional Access under the Security heading on the Azure AD navigation pane. 

If you do not have any policies enabled for MFA, you do not have to make any changes and can stop here. If you still want to create a new policy and don’t have any existing MFA policies, skip the Exclude Accounts from MFA Policy step. 

Create Named Location

  1. Select the Named locations menu item under the Manage heading. 

  2. Select New location 

  3. Enter Voleer Subnetin the Name textbox 

  4. Enter 52.148.161.160/28 in the IP ranges textbox. 

  5. Note: If there are any trailing or leading spaces, the interface will display an error. 

  6. Click the Create button at the bottom 

Exclude Accounts from MFA policy 

  1. Select the policy that requires MFA from the conditional access policy list. 

  2. Select Users and groups 

  3. Select the Exclude tab 

  4. Ensure that the Users and groups checkbox is selected. 

  5. Click Select excluded users 

  6. Add the accounts that you would like to use with Voleer and click SelectDone, and then Save

Create New Policy 

  1. Click the New policy button at the top of the conditional access policy list. 

  2. Enter a name for the policy 

  3. Select the Users and Groups action 

  4. Select the Select users and groups radio button, then select the Users and groups checkbox. 

  5. Click the Select action below the checkboxes 

  6. Add the accounts that you would like to use with Voleer and click Select and then Done

  7. Select the Cloud apps or actions action 

  8. Select the All cloud apps radio button and click Done 

  9. Click the Conditions action 

  10. Click the Locations action 

  11. Select Yes on the Configure toggle and then, on the Include tab, select Any location

  12. Select the Exclude tab. 

  13. Select the Selected Locations radio button and click the Select action 

  14. Select Voleer from the locations list and then click the Select button at the bottom 

  15. Click Done on the Locations blade

  16. Click Done on the Conditions blades 

  17. Click the Grant action under the Access controls heading 

  18. Select the Grant access radio button and check the Require multi-factor authentication and any other controls that were on the standard policy that we excluded these accounts from. 

  19. Click the Select button at the bottom 

  20. Toggle Enable Policy to On 

  21. Click Create

Validate Policy 

  1. Click the What If button at the top of the conditional access policy list 

  2. Click User and select the account you want to test 

  3. Enter 52.148.161.161 in the IP Addresses textbox 

  4. Select United States from the Country dropdown 

  5. Click the What If button 

  6. If any policies display in the Policies that will apply tab, click on them and validate that they do not require MFA. 

  7. Change the IP Addresses value to 52.148.161.159

  8. Click the What If button 

  9. You should see the policy you created in the previous section in the Policies that will apply tab.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.