.NET Web App on Azure triggers MFA from Entra ID Conditional Access

[AvishekElite]

trafficstars

We're using this library to authenticate users for .NET web app deployed on Azure App Service. This is for one of our PaaS products. This triggers MFA because client has Conditional access policies configured on the Entra ID tenant and the auth request is triggered from Azure App Service server/host which is not in white listed ip on clients Entra ID. Is this expected? Is there a design/config option to trigger the auth request from client browser instead of the web app server?

[pmaytak]

The policies should apply at sign in. Conditional access docs: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network#when-is-a-location-evaluated

I recommend using Microsoft Identity Web, if you have an ASP.NET site. it simplifies dealing with conditional access challenges. https://github.com/AzureAD/microsoft-identity-web/wiki/Managing-incremental-consent-and-conditional-access