Conditional Access Policy for "Not Require MFA"

YY 21 Reputation points

Currently, we have a conditional access policy to enforce MFA to all users.

We would like to create another policy to access "not require MFA" when the following conditions satisfied:

  1. for an specific app (we can select from Enterprise Application).
  2. for the corporate device (we can use DeviceOwnership -eq Company).
  3. with session sign-in frequency of 8 hours (we can set this up in "session" condition).

May I know how we can create another policy for this? It seems that putting those conditions to the original "enforce MFA" policy will mess up the original purpose of "enforce MFA" because other applications using corporate devices are being exempted also.


Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,701 questions
No comments
{count} votes

Accepted answer
  1. Manu Philip 14,056 Reputation points Microsoft MVP

    Note the following rules on MFA. More details are here: concept-conditional-access-policies
    All assignments are logically ANDed. If you've more than one assignment configured, all assignments must be satisfied to trigger a policy.
    Multiple Conditional Access policies may apply to an individual user at any time. In this case, all policies that apply must be satisfied. For example, if one policy requires multi-factor authentication (MFA) and another requires a compliant device, you must complete MFA, and use a compliant device.


    --please don't forget to upvote and Accept as answer if the reply is helpful--

0 additional answers

Sort by: Most helpful