ZIA O365 with Azure AD MFA

Hi Team,
One of our customer is using ZIA + Azure AD with MFA using source IP based condition.

When they enable the tenant restriction on O365 traffic the Microsoft login services URLs will be SSL inspected (and XFF header will be added by the Zen nodes).

Since MS doesn’t support XFF header https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#cloud-proxies-and-vpns MFA will be triggered even when the users are in Corporate location.

Customer wants to trigger the MFA only when the users are outside the corporate location and wants to know how our other customers are configuring MFA with Azure AD

Please let me know your suggestion on this

Thank you,
Regards,
Ganeshkumar Ramamurthy

Can they try SIPA in that case?

I was going to suggest Source IP Anchoring but that’s what SIPA is :slight_smile:
They would need to ZPA customers as well.

Thank you Prajith and Gordon for your suggestion