This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello,
I'm at the moment securing my tenant's MFA via Conditional Access rules.
I see you can setup MFA from the url https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx (admin center and also set Trusted locations)
On the other hand you can also set trusted locations via Conditional Access.
Now the question is wish one of the two will have the upperhand? The CA or The MFA settings?
Do i need to enable trusted locations in CA and in Azure url shown above?
I got a user that logs in that gets the question to "add a phone number to keep the account safe", i don't want that.
Kind regards,
Tom
A cloud-based identity and access management service for securing user authentication and resource access
Answer accepted by question author
If you already have the necessary licensing, go with CA policies. They offer a lot more flexibility, and this is where Microsoft is making future improvements. The per-user MFA settings will eventually be deprecated.
To add more detail, the necessary licensing is Azure AD P1 or P2.
Hi Michev, It's not about license it's more about: what if the two are setup, who will win of the two?
I also realized that if you enable SSPR MFA is enforced to users, all the users will get a MFA question to add phone numbers, even when you don't have it configured via CA rules or Manually per user.
So who of all of those will win?
Both will apply, there's no "win" here. Same for SSPR. If the user is enabled for any of these feature, they will need to provide auth details.
Hi Michev, thank you for the reply. So i know when deploying CA, i will have to disable the MFA per user settings before configuring the CA rules, otherwise it can be bypassed.