Adding On-Premise IP Range as Trusted IP for MFA Bypass | Microsoft 365 Security Administration Exam

Add On-Premise IP Range as Trusted IP

Prev Question Next Question

Question

You are responsible for the Office 365 security in your organization.

You have an Azure AD tenant on the free tier.

You have enforced multi-factor authentication by enabling Security Defaults for all users.

You want to add your on-premise IP range as a trusted IP, to bypass MFA request when working from the office.

What should you do?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: C

Adding trusted IP-ranges requires your tenant to be on the Azure Premium P1 or Azure Premium P2 license.

The only way to enforce MFA on users with non-administrator roles in an Azure AD Free tenant is by enabling Security Defaults.

But as displayed by the exhibit below, Trusted IP is not available on the free tier.

Feature ‘Azure AD Free - Security defaults Protect Azure AD tenant admin . accounts with MFA, Azure AD Free - Azure AD Global Microsoft Administralrs 365 apps # (Azure AD Global Administrator . accounts only) Azure AD Premium P1 or P2 Mobile app as a second factor . . . . Phone call as a second factor . . . SMS as a second factor . . . Admin control over verification . . . methods Fraud alert . MFA Reports . Custom greetings for phone calls . Custom caller ID for phone calls . Trusted IPs . Remember MFA for trusted . . . devices MFA for on-premises applications

Option A is incorrect.

This is where you configure the trusted IP settings, but in this scenario you must first upgrade Azure AD to a paid tier.

Option B is incorrect.

Creating a security group is not correct.

Option D is incorrect.

Conditional Access policies requires an Azure AD P1/P2 license.

The correct answer for this question is D. Create a conditional access policy.

Explanation: When Security Defaults are enabled for an Azure AD tenant, it enforces MFA for all users, which means that users need to provide an additional factor of authentication (such as a code or biometric authentication) to access their accounts. However, there may be certain situations where users should be exempt from MFA, such as when they are accessing their accounts from a trusted location, such as the office.

To allow users to bypass MFA when accessing Office 365 from a trusted location, you can create a conditional access policy in Azure AD. A conditional access policy allows you to set rules that determine when and how users can access Office 365. In this case, you would create a policy that allows users to bypass MFA when they are accessing Office 365 from a specific IP range (such as the office IP range).

To create a conditional access policy, follow these steps:

  1. Go to the Azure portal (https://portal.azure.com/) and sign in with your admin account.
  2. In the left-hand menu, click on "Azure Active Directory".
  3. Click on "Security".
  4. Click on "Conditional access".
  5. Click on "New policy".
  6. Enter a name for the policy.
  7. Under "Assignments", select the users or groups that the policy will apply to.
  8. Under "Cloud apps or actions", select "Office 365".
  9. Under "Conditions", click on "Locations".
  10. Click on "Add location".
  11. Select "Trusted locations".
  12. Click on "Add".
  13. Enter the IP address range for your office network.
  14. Click on "Done".
  15. Under "Access controls", select "Grant".
  16. Under "Grant access", select "Require multi-factor authentication" and set it to "Off".
  17. Click on "Create".

This policy will allow users to access Office 365 from your office IP range without requiring MFA. Note that this policy will only apply to users who are members of the groups that you selected in step 7.

Prev Question Next Question