Share via

Conditional Access for MFA

Sirs 0 Reputation points
Oct 30, 2023, 10:51 PM

I have understanding questions about Conditional Access.

  1. if I define an IP Range and want to say that users from that range do not need MFA all the time, do they need to be included or excluded in the MFA policy? Is it include all and exclude safe ips?
  2. if a user is in 2 MFA policies, which policy applies?
  3. e.g. if risk is set "High" in MFA, the user must authenticate with MFA for risky access, at the same time does this mean that the user will never be asked for MFA at login at any level below? (if no setting is set under "Session").
  4. is it recommended to create multiple policies for e.g. different risk levels?

Thanks a lot.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,616 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andy David - MVP 150.9K Reputation points MVP
    Oct 31, 2023, 11:45 AM

    Lots of questions! :)

    1. Require MFA for ALL locations except for trusted locations (OR your IP range ) is the usual recipe here: https://learn.microsoft.com/en-us/entra/identity/conditional-access/location-condition
    2. Both apply: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies User's image
    3. See above, If the policy applies then all are applied. A user wont be asked to MFA twice since the existing token will already satisfy the requirement unless you also have a policy that has a diff auth context that needs to be fulfilled: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps
    4. Depends on your requirements. If you want to block high sign-in risk and allow MFA for medium, two policies are needed. IF you want to allow the user to MFA with both high and medium sign in risk , then only one policy is needed. If you want to also block high user risk, thats a separate policy.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.