Running Delegated Admin PowerShell Scripts with MFA enabled accounts

Microsoft have introduced some important security requirements for users who access customer tenants via delegated administration. Admins and users with access to customer tenants must use multi-factor authentication when accessing customers’ Office 365 environments.

While this is great for security, it will likely break any scripts you have that use the credentials of a delegated admin and don’t prompt for modern authentication.

To keep these scripts operational, you can use MFA whitelisting to exclude the MFA requirement for specific public IPs – eg. your own environment, or your Azure Function apps.

How to retrieve the IP of your own environment

In many cases, you can retrieve your own IP by searching for ‘what is my ip address’. However, before you add this to your whitelist, you should confirm that this is a static, non-changing IP.

Search Google for What Is My IP For MFA WhiteListing

Retrieving IPs for Azure Function Apps

  1. To retrieve the IP Address for your Azure Function App , login to https://portal.azure.com
  2. Navigate to your Azure Function app Retrieve info for Azure Function App MFA Whitelisting
  3. Navigate to Platform Features and click Properties under the General Settings section Access your Azure Function App Platform Features
  4. Retrieve the IPs used by the function app under Outbound IP Addresses and Additional Outbound IP Addresses Retrieve IP Addresses from Azure Function App for MFA Whitelisting

Add the IP addresses to your MFA Whitelist

  1. You can add your IPs to your whitelist by either visiting this link or by navigating via the Azure AD portal using these steps.
  2. Navigate to Azure AD on the left menu. Navigate Azure Active Directory to retrieve IP Addresses for MFA Whitelisting
  3. Scroll down to Conditional Access under the security section in the Azure AD submenu.Azure Active Directory Conditional Access
  4. Click Named Locations Azure Active Directory Named Locations
  5. Click Configure MFA trusted IPs Configure Trusted IPs in Azure Active Directory
  6. Provided you have the right licensing (I think it may require a plan with at least Azure AD P1), you should be presented with a screen that looks like this:Add Trusted IPs To MFA Whitelist
  7. You can enter your IP addresses into the Trusted IPs section. Remember to add /32 to each address and enter each one on a new line.
  8. You should now be able to run your delegated administration scripts from your own environment or Azure Functions without them failing the MFA requirement.

Was this article helpful?

Related Articles