This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 14.000000000000002%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
Hi There,
We have setup a named location in Azure Conditional Access with our organizations IP ranges in CIDR notation format so that users are not prompted for MFA when in the offices.
When looking at the users sign-in information the IP matches what we have in the named location. However when you drill down into the users policy details for our MFA policy the location is displayed as Not Satisfied.
Is there something I am missing with using named locations? We do have the same IP configured under the MFA site multi-factor authentication service settings, trusted IPs but it shouldnt matter if there is a double up correct?
Any help appreciated.
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 6%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
I am seeing the same thing too still....for weeks now while testing CA Policies. We have a policy that requires MFA with all locations included and our location excluded, but the matching is not working. When I look at the sign in and into the details of the conditional access policy that was applied upon signing in, it says the IP is "not matched", but it shows the IP that doesn't match, and it is the same IP that is excluded. So, doesn't seem to work in the case....we still get the MFA prompt.
Verify that you have excluded the selected locations (Trusted IP ranges) from the policy. I have attached two picture.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 88%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Same here, wanted to move exclusively to Conditional Access Named Location (from MFA Trusted IPs), as per
https://dirteam.com/sander/2020/07/07/todo-move-from-mfa-trusted-ips-to-conditional-access-named-locations/
but it simply does not work, still ask for code even if I am INSIDE the IP range in Named Location
Anybody? Surely I am not the only one...?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 10%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
Within the same conditional access menu, check that there is no classic policy that generates conflicts.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 39%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
This is an old post to I dont see it being resolved. I see exactly the same pproblem. I also do not feel the response is entirely accurate. Let me explain. By all means set MFA to include ALL locations. I exclude Trusted locations. Country is not considered a trust location. There is no tick box so set this to enabled. Moreover, it was it would be a serious issue to treat it as such. However, according to the check on whythe policy is not applied it is because the account falls under country chosen. Error = "not matched - trusted location exclluded" Would be good for Microsoft to provide a solution or an explanation concerning the behavior.