Conditional access policy overwritten after sign in through MFA


There is a conditional access policy to prevent access from external IP addresses, but after somebody uses authenticator app to sign in through MFA, this policy doesn't work anymore. How can be this prevented?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,330 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,482 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 99,936 Reputation points MVP

    Do you mean the scenario where the user logins from a known/trusted location and then moves to a new one? The Continuous access evaluation feature should trigger a near real-time evaluation of the CA policy. However, there are some caveats, such as client support. Most importantly, if you have defined trusted networks in the old Azure MFA portal (the per-user MFA), CAE will not trigger. Replace the old config with CA policies/IP-based named locations in the Azure AD blade.