View Categories

How to disable Azure AD 2FA Authentication for Captive Portal

Azure AD Conditional Access MFA #

As an admin, you want to maintain security for your company’s resources, but you also want your employees to easily access resources as needed.

Multi-factor authentication (MFA) is a process in which a user is prompted for additional forms of identification during a sign-in event. For example, the prompt could be to enter a code on their cell phone or to provide a fingerprint scan. When you require a second form of identification, security increases because this additional factor isn’t easy for an attacker to obtain or duplicate.

In some cases, however, the MFA may cause challenges for the end user. One such case can be dealing with MFA while signing in via the Wi-Fi Captive Portal login dialog.

The reason is the state of the Captive Portal itself where many devices don’t allow any multitasking while in the “captive state”. This makes it impossible to open other applications, such as Microsoft Authenticator or 1Password, while signing in via the captive portal.

Azure AD Multi-Factor Authentication and Conditional Access policies give you the flexibility to prevent MFA from users for specific sign-in events, such as the Captive Portal sign-in.

In this example, we will configure a simple Azure AD Conditional Access Policy that requires MFA for all Cloud applications, except Captive Portal Sign-in.

In order to use Azure AD Conditional Access policies your organization needs to switch from “per-user MFA” to Conditional Access MFA. This is described and recommended by Microsoft in these articles:

 

Setting up a Conditional Access Policy to prevent 2FA in Captive Portal. #
  1. In this example, we assume that you have configured the application “Acme Corp WiFi Portal” as described in this article.
  2. Then, make sure your organization has switched from “per-user MFA” to “Conditional Access MFA” as described in the Microsoft article above.
    1. While you are logged in to your organization’s Azure Portal (https://portal.azure.com)
    2. Select Users and then select “Per-user MFA”

      Make sure the multi-factor auth status is Disabled.


      Setting “per-user MFA” to disabled is a prerequisite to making the Conditional Access policy work in the next step.

    3. Under Azure Services, choose Azure Active Directory
    4. Select Security
    5. Under Protect select Conditional Access
    6. Click + New Policy
      • Name
        • For example “Acmecorp MFA App Policy”
      • Users
        • Include “Alla users”
      • Cloud apps or actions
        • Select what this policy applies to: Cloud apps
        • Include: All cloud apps
        • Exclude: Select excluded cloud apps -> “Acme Corp WiFi Portal” (in our example)
      • Grant
        • Select Grant access
        • Check “Require multifactor authentication”
        • Click Select
      • Enable policy
        • Select On (or Report-only to verify first)
      • Click Save
  3. Done
    You have now defined a Conditional Access Policy that requires all cloud apps to use MFA except for “Acme Corp WiFi Portal”. Now users signing in to the Wi-Fi via the Captive Portal will not be prompted for Multi-Factor Authentication.

 

Please note that in a real-world example, you should always verify any changes to security settings with your organization’s security department.

Netgraph
Powered by  GDPR Cookie Compliance
Cookie Overview

What are cookies?

Cookies are small text files consisting of letters and numbers. These are sent from Netgraph Sverige AB or our partners' web servers and stored on your device (for example, computer or mobile). They can be stored in two different ways.

Session cookies are temporary cookies that disappear when you close your browser or app.
Persistent cookies are cookies that remain on your computer until you delete them or until they expire.

Different types of cookies

Both our website and others, such as Facebook or Google, may place cookies on your computer when you visit this website. Cookies from the website you are visiting are called first-party cookies and cookies from other websites are called third-party cookies.

Other files, similar to cookies, are web beacons and similar technologies. Web beacons are small transparent graphic images that may be contained in emails we send to you.

Why do we use cookies?

We use cookies to make your visit to our website as enjoyable as possible, and to improve it even more. However, we do not store IP numbers or similar personal data about you.

Functionality cookies improve your experience

We store cookies about the pages you have visited to make your experience on our website as smooth as possible. For example, we can prevent you from seeing a pop-up window more than once.

Analytics cookies help us to make our website better

We use cookies to collect aggregate analytical information about how you use the site, such as statistics on our most popular pages. With the information we get, we can improve our web and our offers.

Deleting cookies

Your browser or device usually allows you to set which cookies can be stored on your computer. For example, you can choose to block all cookies, only accept cookies from the website you are visiting or delete all cookies when you close your browser. Look under Settings.

Questions?

Do you have any questions about how we use cookies? You can always reach Netgraph Sverige AB's data protection officer at info@netgraph.se

This information was updated on August 26, 2024.