Hi @Bosland, Stefan ,
Thanks for your post! The NPS Extension doesn't look at or interact with Conditional Access policies. All the NPS Extension does is look to make sure the User has strong Authentication methods configured (Registered) and prompt the user. It doesn't check to see if you have a Conditional Access policy setup.
The purpose of the NPS extension is to give the NPS server the ability to perform 2FA. Conditional Access policies will be triggered for authorization and if the user falls into a policy that requires MFA and has already logged into their vpn and performed MFA through the NPS extension, then MFA will be skipped in the Conditional Access policy and be marked as satisfied by the token (assuming MFA was passed). NPS is simply stating whether or not MFA was passed. Conditional Access policies trigger based on companies' setups and only then will the results of the 2FA from the NPS extension (if performed) be applicable.
Because of this, Conditional Access does not apply in a traditional way for connections made through NPS, as NPS extension just checks to make sure the user is registered for MFA and then sends the prompt.
There have been some feature requests raised to change this behavior, but this is how the NPS Extension is designed. It is not a cloud app but is an on-prem application that uses our APIs to use Azure MFA.
If you want to bypass MFA for non-admins and those users are using VPNs, then this change will happen in the NPS network policy settings and if this is a requirement for admins, then this will also be determined by the network policies in place within the NPS.
Let me know if this helps and if you have further questions.
If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.