Create conditional access if user try to login with untrusted named location request MFA for verify legitimate user.

Question

"Hello everyone,

I have a question regarding conditional access, and I'd like to explain my intended scenario in steps:

1. First, I create a named location using an IP range.
2. Then, I create location-based conditional access.
3. In the Conditional Access (CA) conditions, I specify the location to 'Include Any location' and exclude all trusted locations (where the trusted location was created in step 1).
4. Under the Grant settings, I currently have 'Block access.'
5. The current behavior of this conditional access policy is that if a user attempts to log in to a cloud app from an untrusted location, the login is refused.

The CA policy is working correctly in this regard. However, what I want is for the user to be prompted for multi-factor authentication (MFA) when trying to log in from an untrusted network, rather than blocking access outright."

I hope you support

Answer 1

Hello @Dilusha Priyantha Karunarathna ,

Thank you for reaching out. I assume you are following the template listed on following document which blocks access from untrusted location: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-location.

However, if you would like to prompt for MFA than you can make change in Grant Controls section of your Policy. In Grant controls instead of selecting block access you can select Grant >> Require MFA. These users logging in from Untrusted location would be requested to complete MFA and users logging in from trusted location would be allowed without MFA.

Details about Grant Controls can be found on following link: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant

I hope this helps and hence would request you to please "Accept the answer" if the information helped you. This will help us and others in the community as well.