This message was deleted.

What is the IdP?

azure AD

My approach would be this : I would look at doing a trusted IP setup in conditional access. Citrix isn’t controlling the MFA parts, as it’s azure side of things. Not needed but updates the network locations for the public IP addresses of the internal engress IP scheme. The public IP for the internal users. Then what is needed is to go into entrance AD > security > conditional access. Create a policy and add those IP addresses in and exclude them. I can’t remember the exact details. But it’s online on how to do this. That should allow DaaS users internally to bypassed MFA prompt from Entra AD.

thanks, i think this is it - https://learn.microsoft.com/en-us/archive/blogs/latam/skip-mfa-o365

That’s a start definitely. Not certain in the ADFS part for them. But if it’s in the mix, then sure.

thanks Ray. so the steps are for office 365 but i think i really need to do it in the azure portal. not sure.

Conditional access is in the azure portal that applies all and everything depending on conditions/apps. There a good bit of actions In there. That link is old and some things are different now. But it’s similar

yeah, so if i create a policy that disables MFA it will disable it for everything not just citrix cloud logins, right?

You have to apply filters like Hybrid Join, Public IP Adress Range, Group Membership ecc. in your Conditional Access Policy to achieve that.