Bypass multi-factor authentication in Entra ID

In this topic, you will learn how to whitelist the IP addresses of Portnox™ Cloud services in Microsoft Entra ID so that you can bypass multi-factor authentication (MFA) when accessing Entra ID services.

Note: Microsoft Azure Active Directory has been renamed by Microsoft and is now called Microsoft Entra ID.
Note: You only need to complete this task if you turned on multi-factor authentication (MFA) in Microsoft Entra ID for the policies that you use with Portnox Cloud.
  1. Open your Azure Portal dashboard.
  2. In the Search resources, services, and docs field, start typing conditional access, and then click on the Microsoft Entra Conditional Access entry listed below.

  3. In the left-hand side menu of the Conditional Access pane, click on the Named locations option.

  4. In the top menu, click on the + IP ranges location button.

  5. In the New location (IP ranges) pane, in the Name field, enter a name for the new range, and then click on the  +  button to add IP ranges. When done, click on the Create button below.

    In this example, we used the name Portnox Cloud but you can use any name you like.

    • If your instance uses the United States region for the Cloud RADIUS server, enter the following IP ranges:

      • 13.92.154.121/32 (used for network authentication)
      • 13.92.155.150/32 (used for AgentP enrollment)

    • If your instance uses the European region for the Cloud RADIUS server, enter the following IP ranges:

      • 13.95.164.190/32 (used for network authentication)
      • 104.40.220.180/32 (used for AgentP enrollment)

    • If your instance uses both regions, add all four IP ranges listed above.

  6. In the left-hand side menu of the Conditional Access pane, click on the Policies option.

  7. Find the policy that you want to edit in the list of existing policies and click on its name.

    Note: Select the policy that has multi-factor authentication enabled, where you need to bypass MFA to gain access to Portnox Cloud services.
  8. In the pane for the selected policy, click on Conditions > Locations > Configure > Yes > Exclude > Selected locations > Select, and in the Select pane, select the IP range you just created, click on the Select button, and then click on the Save button.

  9. Optional: If classic policies are configured, whitelist the IP addresses in classic policies, too.