How to exclude one account from conditional access policy, but the account needs to login from a certain device and IP?

NoobieIT 0 Reputation points
2023-07-27T00:45:57.6033333+00:00

We currently have one MFA CA policy for all accounts. But we are in need to exclude a certain account from having to use MFA. This account we would like to have it lock down so it can only access cloud apps from a certain device name and IP address. We currently have the following setup regarding CA policies.

  1. Excluded the account from the main MFA CA policy.
  2. Created a named location that includes the IP address that we would like to use.
  3. Created an allow CA policy, which includes only the one account, location, and filtered by device name. Also, the grant permission is set to the device must be complaint and Azure AD Joined.

Even with this setup, the account can be logged into on another complaint Azure AD joined device that is on another network. Would we need to include a block policy for the one account in some way?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,150 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

  2. Sandeep G-MSFT 20,701 Reputation points Microsoft Employee
    2023-07-27T10:01:58.8533333+00:00

    @NoobieIT

    Here you have configured the CA policy correctly so far.

    As per your scenario you have created a policy which is applied to only one user with named location and windows device. Also the device has to be complaint.

    In the above policy you can add device filters and configure the device display name to it.

    User's image

    With this user can only access the Azure services only from one device with specific display name which is Azure AD joined and complaint.

    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices#supported-operators-and-device-properties-for-filters

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.