Hi @Chen, Liyong ,
It sounds like the user could be getting flagged as logging in from two different locations. Azure might be identifying the login as being risky and flagging it.
If you check the Azure AD sign-in logs you should be able to find the IP that triggers the conditional access rule and verify if it's showing up as a separate location. If it is, you can add that IP as a trusted IP in your conditional access policy.
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/SignIns
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
If this does not work, feel free to send me an email at AzCommunity@microsoft.com ("Attn: Marilee Turscak") and include your subscription ID and a link to this thread, and we can further investigate and open a support ticket if required.
If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.