![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 60%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHG%3C/text%3E%3C/svg%3E)
25,132 questions
Hello,
The behavior you are seeing with the location condition in your Conditional Access policy is expected. When the location condition is set to "Any location," it means that the policy will evaluate the user's location on every sign-in attempt, regardless of whether the user has previously been authenticated with MFA or not.
This means that if a user signs in from a new location (i.e., a different IP address) that they have not previously signed in from, the policy will evaluate the user's location and determine whether or not to require MFA based on the other conditions of the policy.
It's also worth noting that the sign-in frequency period only applies to subsequent sign-ins from the same location. If a user signs in from a new location, the policy will evaluate the location condition regardless of whether the user has recently authenticated with MFA from a different location.
You can find more information about location-based Conditional Access policies in the Microsoft documentation: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-conditions.
