Azure MFA Conditional Access Policy results

Dave Greenwalt 1 Reputation point
2021-08-05T14:10:35.677+00:00

Hello! I'm almost done configuring my conditional access test and I want to confirm I'm reading the Sign-In logs correctly. Specifically the Conditional Access Policy Results. I've added screenshots below.

My policy: For all locations Except the corporate network, prompt for MFA. I currently have it setup for one user only when logging into office.com.

The first image shows the sign-in log's Location Tab. It shows the Trusted Network listed. However, the second image (same Sign-In Log) shows the Conditional Access evaluation fails at the Location with a "Not Matched" result.

The third image is a login off the corporate network. I used the cellular data on my personal phone. I was successfully prompted for MFA.

Shouldn't the Corporate Network login read "Matched" because the log in came from the Trusted Network? I'm getting the desired result, but I'm worried I won't be reading the policy evaluations correctly when moving forward and adding more and more policies.

120740-nomfa-trustednetwork.png

120806-nomfa-details-trustednetwork.png

120807-mfa-details-notrustednetwork.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,870 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Pavel yannara Mirochnitchenko 12,066 Reputation points MVP
    2021-08-05T18:08:10.367+00:00

    So in the second picture, did you get MFA promt?

    I was investigating MFA and Cond Access due to ms-500 certification, and I remember it has a little bit odd logic, since "Failure" actually means the CA denies the access and "Not Applied" means, the CA is not applied due its policy config and does not match for autharization which should happen. Also remember, that for Known Location you should specify WAN IP-range, not LAN (NAT).

    0 comments No comments