Conditional Access for MFA

Sirs 0

I have understanding questions about Conditional Access.

if I define an IP Range and want to say that users from that range do not need MFA all the time, do they need to be included or excluded in the MFA policy? Is it include all and exclude safe ips?
if a user is in 2 MFA policies, which policy applies?
e.g. if risk is set "High" in MFA, the user must authenticate with MFA for risky access, at the same time does this mean that the user will never be asked for MFA at login at any level below? (if no setting is set under "Session").
is it recommended to create multiple policies for e.g. different risk levels?

Thanks a lot.

JamesTran-MSFT 36,631 Reputation points Microsoft Employee

2023-11-08T23:36:51.69+00:00

@Sirs

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Sirs 0 Reputation points

2023-11-08T23:39:28.2933333+00:00

I have an unsolved followup question: For Nr. 3: I meant if only one policy exists and there is the checkbox for "high risk" marked. This would mean MFA requirement for high risk logins and all other like middle and low will never require MFA in this scenario, as it is not required, right?
For that case I would need another policy for middle and low, so that at least MFA is required once a week or so.

1 answer

Andy David - MVP 148.7K Reputation points MVP

2023-10-31T11:45:25.5733333+00:00
Lots of questions! :)

Require MFA for ALL locations except for trusted locations (OR your IP range ) is the usual recipe here: https://learn.microsoft.com/en-us/entra/identity/conditional-access/location-condition

Both apply: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies

See above, If the policy applies then all are applied. A user wont be asked to MFA twice since the existing token will already satisfy the requirement unless you also have a policy that has a diff auth context that needs to be fulfilled: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps

Depends on your requirements. If you want to block high sign-in risk and allow MFA for medium, two policies are needed. IF you want to allow the user to MFA with both high and medium sign in risk , then only one policy is needed. If you want to also block high user risk, thats a separate policy.
Please sign in to rate this answer.
Sirs 0 Reputation points

2023-10-31T21:37:47.09+00:00

Thank you, that helped a lot. For Nr. 3 I have a follow up, I meant if only one policy exists and there is the checkbox for "high risk" marked. This would mean MFA requirement for high risk logins and all other like middle and low will never require MFA in this scenario, as it is not required, right?
For that case I would need another policy for middle and low, so that at least MFA is required once a week or so.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Your answer