Share via

why isn't my conditional access policy taking affect

NW Admin 61 Reputation points
2024-07-11T16:59:26.3866667+00:00

I am trying to create a conditional access policy that requires MFA, except for at our trusted locations. However, it doesn't seem to be taking affect.

These are settings:

created a test account. test account has a Microsoft 365 Business Basic license and an Azure Active Directory Premium P1 license. I have a trial of the P1 license.

Test account has MFA configured and set to force.

My public ip is configured as a named location within Conditional access and it is marked as trusted.

I have a conditional access policy that specifically only includes this user. For network, it says "any network or location and all trusted location excluded".

I even let the settings sit for 24 hours to make sure that everything propagates. But, when I try to log in as this user, from this trusted location, I still get the MFA prompt. I am just signing into www.office.com.

The thing is, we were already setup for MFA. And, even before this policy, we were all required to use MFA. So, I thinking that there is some other mechanism that is taking affect that is keeping the exception in this conditional access policy from taking affect. But, I don't know where that would be.

For example, I usually use the multi-factor authentication users settings at account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.... to ensure that users are forced to have MFA. do those settings override what is in the conditional access policy?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,228 questions
Accepted answer
  1. Raja Pothuraju 8,100 Reputation points Microsoft Vendor
    2024-07-12T07:01:39.88+00:00

    Hello @NW Admin,

    Thank you for posting your query on Microsoft Q&A.

    I understand that you have configured a Conditional Access policy requiring MFA from all locations except trusted ones, by adding your public IP address to named location policies. However, during testing, users are prompted for MFA from all locations, even trusted ones.

    This behavior occurs because you have enforced MFA using both Per-User MFA (https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx) and a Conditional Access policy. As Per-User MFA is enabled which resulting in MFA prompts for sign-ins.

    To effectively enforce MFA for user sign-ins, you have several options such as Security Defaults, Per-User MFA, and Conditional Access policies. However, using both Per-User MFA and Conditional Access, it will check both policies upon user's sign-ins. As you have excluded trusted locations from Conditional access policy, CA policy will not be applied on trusted sign-in and Per-user MFA is getting applied, and user is triggered with an MFA prompt.

    The recommended approach is to disable Per-User MFA and enforce MFA solely through Conditional Access policies.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    Thanks,
    Raja Pothuraju.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.