Document how to disable MFA for this application

[jimdigriz]

MFA does not work with this project.

Turns out if you are using Azure AD Premium you can use a Conditional Access policy to apply an application exclusion (as pointed to in #11 (comment)) to disable MFA for our application use case..

This ticket is to make it a TODO to explore and document this process; seems to be an AD Premium only feature but that is for the end use to decide.

[salihzett]

I can add this as soon I follow your manual, maybe tomorrow.

[jimdigriz]

@salihzett do you have any instructions I can use for this?

[salihzett]

Sorry yes:

• http://portal.azure.com
• Azure AD Conditional Access
• New Policy
• Name: freeradius-oauth2 / or MFA setting
• Users: All users
• Cloud Apps or actions: select Exclude and search for your enterprise application: freeradius-oauth2
• Grant: Require multi-factor authentification
• Enable Policy: ON.
  Done

In my case: I select under Cloud apps Include All cloud apps, and then exclude freeradius-oauth2, because I want to force for all apps MFA. (but not for freeradius).
IDK if others have forced MFA, if not I would do this like my example and then just exclude the enterprise application.

This workflow works for me and my colleagues.

Questions?

[jimdigriz]

This is great, I'll give it a go myself and get it put into the README for others. If I have any problems I'll ask. Thanks!

[salihzett]

u r welcome

[adeptcain]

I ran into an issue with MFA still being required after implementing this, turns out if you have Office 365 MFA (this admin panel) either enabled or enforced on a user then it will ignore Conditional Access MFA. Also keep in mind that if you're using app passwords in your organization, Conditional Access does not support them, so you will need to either go without this RADIUS method or go without app passwords.

[groupe-accelis]

This worked for me.

Upon investigating my sign-in logs in :

Azure Active Directory portal --> Conditional Access --> Sign-in logs
then
Clicking on the failed sign in attempt --> Conditional Access tab

I realised that my VM Login MFA policy is blocking my sign in

I excluded my freeradius app by adding it to the "Cloud apps or actions" --> Exclude menu

and voila, it worked

Thanks Alexander

[yuhongwei380]

I ran into an issue with MFA still being required after implementing this, turns out if you have Office 365 MFA (this admin panel) either enabled or enforced on a user then it will ignore Conditional Access MFA. Also keep in mind that if you're using app passwords in your organization, Conditional Access does not support them, so you will need to either go without this RADIUS method or go without app passwords.

when turn off the permisstion in O365-MFA , test works； but how to ensure the security of your account ？

[jimdigriz]

when turn off the permisstion in O365-MFA , test works； but how to ensure the security of your account ？

I do not understand, what does 'security of your account' mean? What are you trying to do? If you want WPA-Enterprise with MFA this is not the solution for you, you need to speak to a proprietary vendor for that to work.

[yuhongwei380]

when turn off the permisstion in O365-MFA , test works； but how to ensure the security of your account ？

I do not understand, what does 'security of your account' mean? What are you trying to do? If you want WPA-Enterprise with MFA this is not the solution for you, you need to speak to a proprietary vendor for that to work.

thanks for reply, my test access success when i turnoff the O365'MFA and i noticed my mfapolicy can't work, i had submit a case to Azure to resolve my problem! Thanks for replying ~

[yuhongwei380]

when turn off the permisstion in O365-MFA , test works； but how to ensure the security of your account ？

I do not understand, what does 'security of your account' mean? What are you trying to do? If you want WPA-Enterprise with MFA this is not the solution for you, you need to speak to a proprietary vendor for that to work.

had solve it； my mfa policy can't work ;now it is work well, thanks~

[RadimKuncicky]

Conditional access requires Entra P1 licence theoretically for every user that benefits from the policy. There is another possibility without P1 licence. It is posssible to set trusted IP ranges for MFA - without conditional access.

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings#enable-the-trusted-ips-feature-by-using-service-settings

It's pretty nice hidden, hope that it will help anybody

[jimdigriz]

Conditional access requires Entra P1 licence theoretically for every user that benefits from the policy. There is another possibility without P1 licence. It is posssible to set trusted IP ranges for MFA - without conditional access.

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings#enable-the-trusted-ips-feature-by-using-service-settings

It's pretty nice hidden, hope that it will help anybody

Handy, good spot, thanks @RadimKuncicky.

I did see the ability to bless given IPs, but I just assumed it was an P1 licence thing also.