Conditional Access Policy for "Not Require MFA"

YY 21 Reputation points
2022-06-09T03:37:46.25+00:00

Currently, we have a conditional access policy to enforce MFA to all users.

We would like to create another policy to access "not require MFA" when the following conditions satisfied:

  1. for an specific app (we can select from Enterprise Application).
  2. for the corporate device (we can use DeviceOwnership -eq Company).
  3. with session sign-in frequency of 8 hours (we can set this up in "session" condition).

May I know how we can create another policy for this? It seems that putting those conditions to the original "enforce MFA" policy will mess up the original purpose of "enforce MFA" because other applications using corporate devices are being exempted also.

Thanks.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,466 questions
0 comments
Accepted answer
  1. Manu Philip 16,971 Reputation points MVP
    2022-06-09T03:45:26.563+00:00

    Note the following rules on MFA. More details are here: concept-conditional-access-policies
    All assignments are logically ANDed. If you've more than one assignment configured, all assignments must be satisfied to trigger a policy.
    Multiple Conditional Access policies may apply to an individual user at any time. In this case, all policies that apply must be satisfied. For example, if one policy requires multi-factor authentication (MFA) and another requires a compliant device, you must complete MFA, and use a compliant device.

    ----------

    --please don't forget to upvote and Accept as answer if the reply is helpful--

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest