How to secure the MFA registration page with Azure AD Conditional Access

Using Conditional Access with the Azure AD helps you to control and secure your organization while accessing corporate apps. As we all know that allowing users to access applications Internal/Outside of the network only with the only password will not protect our data as weak passwords can be compromised and known easily. 

Azure AD provides you Multi-Factor Authentication (MFA) services that you can use as a secondary authentication method for the users while accessing your resources to reduce the risks. You might force the initial MFA registration or allow users to register their security info themself on the Portal. The risk is that you might not want to allow the initial registration process from unwanted locations or allow only for the internal network. In this scenario, we can leverage the Conditional Access policy to require an MFA registration process only for specific locations.

I am going to explain how you can create Conditional Access policy to limit the security info registration page for the only internal network.

As a first step, we are going to add our internal network IP range into the Conditional Access named locations as a trusted network.

Click Named locations and then IP ranges location

Define a location name and add your network IP subnet and marked as a trusted network.

As you can see our location has been defined.

We are going to create a new conditional access policy.

Provide a name for the policy and choose all users or specific groups or users based on your requirement.

Choose “User actions” under the “Cloud apps or actions” tab and marked the “Register security information” option.

Configure the location option and choose Any location.

Exclude the Internal network under the Exclude tab.

Access control is going to block access mode as we are going to block the user registration from all networks except our internal network.

Enable the policy “On’ and create the policy

Once you click the create you might get a warning in the policy that shows that there is a risk that you might block yourself. If you are familiar with conditional access rules you can continue without adding excluded users. I would suggest you add your break glass account to the exception list.

When users try to register their mobile app at https://aka.ms/mfasetup, they will be blocked if they are out of the trusted network. by conditional access policy.

When we check the sign-in logs, you see that the IP address is out of our trusted network and access is a failure.

Access has been blocked by the Policy.

If a user gives a try from the internal network, they welcome to the registration page.