Conditional access policy overwritten after sign in through MFA


There is a conditional access policy to prevent access from external IP addresses, but after somebody uses authenticator app to sign in through MFA, this policy doesn't work anymore. How can be this prevented?

Azure App Services
Azure App Services
A feature of Azure App Service used to create and deploy scalable, mission-critical web apps.
4,567 questions
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,585 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 66,616 Reputation points MVP

    Do you mean the scenario where the user logins from a known/trusted location and then moves to a new one? The Continuous access evaluation feature should trigger a near real-time evaluation of the CA policy. However, there are some caveats, such as client support. Most importantly, if you have defined trusted networks in the old Azure MFA portal (the per-user MFA), CAE will not trigger. Replace the old config with CA policies/IP-based named locations in the Azure AD blade.