How can I set Conditional Access by IP address without mfa enabled?

JayDill 1 Reputation point

We have an email account that should only be accessed by users in the building- How can we restrict login by IP to an account without MFA

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,092 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,441 Reputation points

    Hi @JayDill • Thank you for reaching out. For this purpose, please configure Conditional Access as mentioned below:

    1 . Azure AD > Security > Named locations > +IP ranges location > Assign a name and add public IP subnet or address that represents the public IP of the building.
    2 . Create a Conditional Access Policy with below settings:

    • Add user account (the email account is configured for).
    • Under Cloud apps or actions, add Office 365 Exchange Online.
    • Under Conditions > Locations > Include Any location and exclude the location created in step 1.
    • Under Grant > Block access.
      3 . Set Enable Policy to ON and create the policy.

    With above settings, conditional access will block sign-in for the specified account from all locations except the location (trusted building) excluded from the policy and MFA won't be required.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.