How to require multifactor authentication for some accounts in the presence of conditional access with trusted IPs

Mohamed Ali ABIDI 201 Reputation points


We have a few service addresses that should not be configured with multi-factor authentication.
For this, we have installed conditional access based on trusted public IP addresses to allow internal connections to service addresses without multi-factor authentication and block connections from the outside.
While testing the policy, we found that all accounts (including service addresses) are connecting, inside the company, without multi-factor authentication.

Is there a way to fix this situation ?

We want the following state

  • Service accounts should work without MFA internally and block connections from the outside.
  • All other accounts must work with MFA internally and externally.


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,389 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 141.1K Reputation points MVP

    Create a separate policy for just the service accounts that blocks access except from trusted IPs.
    The service Accounts should be excluded from the MFA CA policy.

0 additional answers

Sort by: Most helpful