salihzett
commented
4 years ago I can add this as soon I follow your manual, maybe tomorrow.
Open jimdigriz opened 4 years ago
salihzett
commented
4 years ago I can add this as soon I follow your manual, maybe tomorrow.
jimdigriz
commented
3 years ago @salihzett do you have any instructions I can use for this?
salihzett
commented
3 years ago Sorry yes:
In my case: I select under Cloud apps Include All cloud apps, and then exclude freeradius-oauth2, because I want to force for all apps MFA. (but not for freeradius). IDK if others have forced MFA, if not I would do this like my example and then just exclude the enterprise application.
This workflow works for me and my colleagues.
Questions?
jimdigriz
commented
3 years ago This is great, I'll give it a go myself and get it put into the README for others. If I have any problems I'll ask. Thanks!
salihzett
commented
3 years ago u r welcome
adeptcain
commented
3 years ago I ran into an issue with MFA still being required after implementing this, turns out if you have Office 365 MFA (this admin panel) either enabled or enforced on a user then it will ignore Conditional Access MFA. Also keep in mind that if you're using app passwords in your organization, Conditional Access does not support them, so you will need to either go without this RADIUS method or go without app passwords.
groupe-accelis
commented
1 year ago This worked for me.
Upon investigating my sign-in logs in :
Azure Active Directory portal --> Conditional Access --> Sign-in logs then Clicking on the failed sign in attempt --> Conditional Access tab
I realised that my VM Login MFA policy is blocking my sign in
I excluded my freeradius app by adding it to the "Cloud apps or actions" --> Exclude menu
and voila, it worked
Thanks Alexander
yuhongwei380
commented
9 months ago I ran into an issue with MFA still being required after implementing this, turns out if you have Office 365 MFA (this admin panel) either enabled or enforced on a user then it will ignore Conditional Access MFA. Also keep in mind that if you're using app passwords in your organization, Conditional Access does not support them, so you will need to either go without this RADIUS method or go without app passwords.
when turn off the permisstion in O365-MFA , test works; but how to ensure the security of your account ?
jimdigriz
commented
9 months ago when turn off the permisstion in O365-MFA , test works; but how to ensure the security of your account ?
I do not understand, what does 'security of your account' mean? What are you trying to do? If you want WPA-Enterprise with MFA this is not the solution for you, you need to speak to a proprietary vendor for that to work.
yuhongwei380
commented
9 months ago when turn off the permisstion in O365-MFA , test works; but how to ensure the security of your account ?
I do not understand, what does 'security of your account' mean? What are you trying to do? If you want WPA-Enterprise with MFA this is not the solution for you, you need to speak to a proprietary vendor for that to work.
thanks for reply, my test access success when i turnoff the O365'MFA and i noticed my mfapolicy can't work, i had submit a case to Azure to resolve my problem! Thanks for replying ~
yuhongwei380
commented
9 months ago when turn off the permisstion in O365-MFA , test works; but how to ensure the security of your account ?
I do not understand, what does 'security of your account' mean? What are you trying to do? If you want WPA-Enterprise with MFA this is not the solution for you, you need to speak to a proprietary vendor for that to work.
had solve it; my mfa policy can't work ;now it is work well, thanks~
RadimKuncicky
commented
1 month ago Conditional access requires Entra P1 licence theoretically for every user that benefits from the policy. There is another possibility without P1 licence. It is posssible to set trusted IP ranges for MFA - without conditional access.
It's pretty nice hidden, hope that it will help anybody
jimdigriz
commented
1 month ago Conditional access requires Entra P1 licence theoretically for every user that benefits from the policy. There is another possibility without P1 licence. It is posssible to set trusted IP ranges for MFA - without conditional access.
It's pretty nice hidden, hope that it will help anybody
Handy, good spot, thanks @RadimKuncicky.
I did see the ability to bless given IPs, but I just assumed it was an P1 licence thing also.
MFA does not work with this project.
Turns out if you are using Azure AD Premium you can use a Conditional Access policy to apply an application exclusion (as pointed to in https://github.com/jimdigriz/freeradius-oauth2-perl/issues/11#issuecomment-723653101) to disable MFA for our application use case..
This ticket is to make it a TODO to explore and document this process; seems to be an AD Premium only feature but that is for the end use to decide.