![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 2%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJN%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,631 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @James Nyunt ,
I understand that you created a conditional access policy to block access to Exchange online except with trusted IPs, which you disabled and re-enabled. The policy was applied the first time, but after re-enabling the policy, the users were able to log in without being blocked.
Is this a new session or the same session that was used for the initial login? Block access for devices is not applied until the session timeout expires. When a user signs in using their laptop and establishes a session, the user can continue to access everything until the session timeout expires. This is documented in the Block access by location with Azure AD Conditional Access guide.
If this does not apply to your situation and your users are still able to access everything, there are some other reasons why this could be happening and several possible solutions.
I would confirm that the policy is set to require "all of the selected accounts", confirm whether the login is showing up as success or failure, and whether the conditional access policy is getting applied.
If you have not blocked legacy authentication protocols, this could also cause some issues as they do not support MFA and users can bypass Conditional Access this way. Exchange Online does a pre-auth step before sending the sign-in to Azure, so if you disable those methods in Exchange Online, it won't forward the request to Azure.
You can use the "What If" tool to troubleshoot Conditional Access to troubleshoot which policies are being applied. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/what-if-tool
To apply more layers of protection one option would be to create a trusted region and then apply a policy which blocks access by default, but excludes your trusted region. You could also consider applying smart lockout to your accounts.
If these suggestions do not apply to your scenario, please share a screenshot of your conditional access policy configuration and user sign-ins and I will be able to better assess the situation.
Let me know if this helps and if you have further questions
-
If this answer was helpful to you, please consider marking as answer so that others in the community with similar questions can more easily find a solution.