How multiple conditional access policies are applied in Azure?

Lt. Columbo 306 Reputation points

Hi guys,

There are 5 conditional access policies.




Block International block access to all users from all countries except the US.
Block Intntl Except UK is applied to user A and block all countries except the UK.
User A at the moment the UK and cannot access Microsoft 365 services.
When I run What If only Block International policy is applied and Block Intntl Except UK is not.


Could you please advise why is could be so.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,522 questions
{count} votes

Accepted answer
  1. SubhashSharma-MSFT 661 Reputation points Microsoft Employee

    Hi @Lt. Columbo

    Thank you for sharing the details over message.

    As both the user and location is Included and not Excluded, it is expected that the sign in from UK is being blocked due to policy configuration of 'Block International'.
    In the WhatIf test, 'Block International' policy is applied because the location is Included and does not apply 'Block Intntl Except UK' because UK is excluded.

    If multiple policies are in scope then most restrictive policy is enforced. For details please review Assigning policies to groups and users

    To fix this, you can choose to exclude the user from 'Block International' policy, re-evaluate the Named location configuration or update the Grant controls.

    I hope this helps in resolving the issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    3 people found this answer helpful.

0 additional answers

Sort by: Most helpful