Share via

Users are still being prompted for MFA with a Conditional Access exclusion in-place

Jordan 25 Reputation points
2025-05-06T02:16:04.07+00:00

I am trying to configure conditional access policies in Microsoft Entra for a hybrid environment. The end goal is to enforce MFA for all high risk sign-ins, but keeping seamless sign-in for trusted locations.

I am encountering ann issue where users that are trying to sign in from a verified network are still being prompted for MFA, even though I have excluded trusted locations from the conditional access policy.

Here is what I have set up:

  • I created a conditional access policy with enforces MFA for all users, expect if they are signing in from a trusted location.
  • I created a named location with the public IP address range of the users offices and marked them as 'Trusted'.
  • Hybrid setup: Users are synchronized from on-premises AD using entra connect with pass-though auth.
  • Also, the sign-in logs are showing that users are authenticating from the trusted office public IP address range, but MFA is still required.

Is this due to incorrect IP detection, or is there a misconfiguration in my conditional access policies? How can I set users attempting to sign in from the office are bypassing MFA while keeping the best security practices in place?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,599 questions
0 comments
Accepted answer
  1. Johnny 250 Reputation points
    2025-05-06T02:23:47.81+00:00

    The users that are attempting to sign in from the office network are likely still being prompted for MFA due to one of the following reasons:

    • Misconfigured Named Locations
      • Confirm that the public IP ranges in your named locations match your office network's outbound public IP ranges exactly
    • Azure Active Directory Sync Authentication Method
      • As you are using Pass-through authentication, check if users are authenticating against Azure Active Directory directly, or if they are being redirected though your on-prem infrastructure
      • In some hybrid configurations, authentication might originate from an unexpected IP address, which will trigger MFA incorrectly like you're experiencing here
    • Conditional Access Policy Scope
      • Make sure that your exclusion rule explicitly covers all users who should bypass MFA when access from your trusted locations
      • You can test this by temporarily assigning the policy to a subnet of users to validate the exclusion is working as expected

    Please check the above recommended fixes, and report back your findings!

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.