We have a complicated issue with a complicated setup, so please bear with me on the details as I'm trying to describe the issue as clearly as possible.
We are rolling out MCP to some of our affiliates. They are never connected to our internal network so MCP always sees them as remote users. This hasn't been an issue until recently when we discovered one of our affiliates uses IPs to manage Microsot MFA; if a user is internal, MFA is shut off but if a user is external, MFA will kick in.
If one of the affiliate's users is in the office, they will have the affiliate's public IP address and MFA knows not to kick in. But if a user is outside of their network, they will have a different public IP and thus MFA will kick in when they try to access things like Outlook, Skype, etc.
So, MCP and MFA are conflicting with each other. MCP users all have their public IP address set to McAfee's Cloud Proxy due to MCP, so MFA ALWAYS thinks they are remote and constantly challenges them even if they are in the office. We can't turn off MCP or the users' traffic never gets filtered, and we can't turn off MFA for obvious security concerns.
We are stuck now having to decide to either get rid of MCP or stop using MFA. Neither solution is optimal. Any thoughts and brainstorming is appreciated. Thank you.