With Azure Active Directory Conditional Access, you can control how authorized users can access your cloud applications. Multi-factor authentication (MFA) is a method of authentication that requires more than one verification method and adds a second layer of security to sign-ins.
Azure AD is Microsoft’s cloud-based identity and access management service. It is intended for app developers and Microsoft 365, Azure, or Dynamics 365 subscribers. So, each Dynamics 365 tenant is automatically an Azure AD tenant.
No setup is required from the D365 administrator side. However, while logging in, users need to provide authentication credentials, for example providing a contact number to receive a message or phone call.
We had a client requirement that whenever any user tries to access D365 or Office 365 services from the outside company network, they needed to be prompted for MFA. By contrast, if the services are being accessed from within company network it shouldn’t prompt for MFA because the network is trusted.
Solution
In this article, we will see how to create conditional access to enforce MFA, if the user is accessing services from the untrusted location (outside of the company’s network).
Pre-requisites
- You will require an Azure AD Premium license for users
- Create a security group and add the users you need to specify in the policy
- Set the company’s public static IP in CIDR format, for example – 15.250.0.89/24. You can contact your network team to get this detail.
No other IT considerations are required except the pre-requisites.
Trusted locations
1. Configure MFA trusted IPs in Azure AD.

2. Provide your company’s public static IP in CIDR format.

Conditional access
1. Go to Azure AD–>Conditional Access–>+New Policy
2. Name the policy as UntrustedLocation_PromptMFA and the first thing to configure is Assignments in which you need to mention the User & Groups to be included in this policy.
3. Select Dynamics CRM Online under Cloud Apps. Similarly, you can choose other applications as well.
4. Under conditions you need to configure the device state and client apps as per your requirements. In Location include any locations.

Exclude selected locations and then select MFA trusted IPs.
5. In access control–>grant access and then set to require multi-factor authentication.
6. Finally, enable the policy and save.

7. You can see in the below image that the user has been asked to provide more details. After clicking on next, the user will be redirected to the authenticate credentials page.
8. Except for the authentication credentials, nothing else is required.

9. The user specified in the group will be asked for MFA when accessing services from outside the company network.
