When you enable Azure MFA on a tenant, you get the option to configure IP whitelisting. Another nice feature that you have is to require MFA only when the users do not originate from the intranet. In a multisite environment, with offices located all over the world, or if you do not have a persistent IP from your internet service provider, this is like gold!
If you want this to work, you have to do some configuration on your Active Directory Federation Service (ADFS). Along with the normal claims, you also have to send another one.
Alongside with enabling this, I’ll also configuring the service so the users can check the Keep me signed in box.
Sign into your ADFS server, and open the ADFS Management Console. If you then browse into Trust Relationships -> Relying Party Trusts. There you find Microsoft Office 365 Identify Platform.
Right click and, select Edit Claims Roules…
You are now watching the default claims rules that’s configured for Office 365. We will add two rules here. One for the Inside Corporate Network feature and one for the Keep me signed in feature.
First the Inside Corporate Network setting. Click Add Rule… and from the dropdown menu select Pass Through or Filter an Incoming Claim.
Then give the rule a good name, and set the Incoming claim type to Inside Corporate Network. That is it.
The next one is for the Keep me signed in. Add a new rule, and from the dropdown menu select Send Claims Using a Custom Rule.
On the next page, give the rule a good name, and add this custom rule
c:[Type == "http://schemas.microsoft.com/2014/03/psso"] => issue(claim = c);
That is all. Your MFA enabled users no longer gets a request to verify their authentication when they originate from the intranet.