Azure AD policies that contain IP addresses are location-based policies. Previously, Azure AD policies ignored IPv6 addresses and only applied the policy based upon your IPv4 address. However, starting in September 2024, this will no longer be the case. There’s no reason to wait to modify your policies though. Waiting might cause you to forget that this needs to be done.
We’ll get started by asking a question.
Do we still need location exemptions?
Most IP based policies that I’ve seen are used to exempt a person located in a known office with a static IP from being required to use MFA. In the beginning of MFA, everyone was annoyed, and IT was looking for a way to reduce the number of MFA prompts that their users were required to respond to and so we created an exemption for that location. Fast forward a bunch of years to today, and everyone is used to MFA, machines are joined to Azure AD, and our policies are smartly determining whether or not an MFA prompt is required based on behavioral characteristics. Azure AD has gotten a lot smarter.
For these reasons, for my own MSP, we decided to remove location exemptions, rather than add IPv6 to the policies. Yes a few more MFA prompts might occur. Our policy is to remind them of the need for security. Next to zero complaints have been logged.
This is the more secure option. Criminals of the world would love to know that they don’t have to deal with MFA if they phish you while you’re in the office. Now we’ve taken that option away.
What if you do still need location exemptions?
This doesn’t mean that there will never be a reason for a location exemption to MFA. If you need to implement it, here is how you’ll add the IPv6 address to your policy.
Find the public IPv6 address. You can type “my ip address” into Edge or you could visit https://whatismyipaddress.com/
Open Azure AD and navigate to Security/Name Locations. Here you’ll see a list of the named locations that might be being used in your policies. To add an IPv6 address location click on the IP ranges location button near the top center of the page.
Give a name to your IPv6 location and enter the range of IPv6 addresses that you want to include. Your IP address range will typically be /48 but may vary depending upon your ISP. To verify please check with your ISP.
Check the trusted IP box. Click the Add button then the create button at the bottom of the page and now you’ll have a new trusted IPv6 location.
Notification from Microsoft that you have policies that need updating
In the Azure AD portal dashboard, if you have policies that need updating you should see an alert that looks like the one on hte left below. This is a general notification about upcoming IPv6 updates to Azure AD.
The one on the right is a notification about specific policies that require updating. This is found on the Conditional Access dashboard page. Where it shows 0 below there will be a number greater than 0. Click that number to view the list of policies where you are using IPv4 based locations.
Learn more about other areas of Azure AD that now support IPv6 that you might need to update.
IPv6 support in Azure Active Directory (Azure AD) – Active Directory | Microsoft Learn
All we do is support IT professionals. Microsoft 365 technical assistance, newsletter, Security community, MSP Legislation community, EndPoint, Defender and Lighthouse community, Peer groups, courses, papers, Business consulting and more. https://www.thirdtier.net
