One of our customer is using ZIA + Azure AD with MFA using source IP based condition.
When they enable the tenant restriction on O365 traffic the Microsoft login services URLs will be SSL inspected (and XFF header will be added by the Zen nodes).
Since MS doesn’t support XFF header https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#cloud-proxies-and-vpns MFA will be triggered even when the users are in Corporate location.
Customer wants to trigger the MFA only when the users are outside the corporate location and wants to know how our other customers are configuring MFA with Azure AD
Please let me know your suggestion on this