Will IP changes trigger reauthentication for Microsoft Conditional Access MFA?

Ruben 21 Reputation points
2020-02-20T15:50:23+00:00

I am currently implementing Azure Conditional Access for a large group of users. Everything looks good, but we are getting complaints that people need to reauthenticate to often. We have configured the "Rememeber MFA" checkbox for 30 days. I would expect that if somebody logs in on device X with this checkbox checked, they would not have to provide a MFA token for the next 30 days; independent of their IP. But it seems that people get MFA challenges when switching a lot from IPs.

Is this correct behaviour? And what is the trigger for requesting a new MFA token? Also, suggestions to "fix" this behaviour?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,187 questions
0 comments No comments
{count} votes

1 additional answer

Sort by: Most helpful
  1. Saurabh Sharma 23,776 Reputation points Microsoft Employee
    2020-02-20T23:38:00.863+00:00

    If you have configured to use a conditional access with the Location Condition with Any location then it will cause the policy to applied to all IP addresses. Also, changing a location would be detected within an hour of changing the network location for the applications using the modern authentication. Ideally, it is recommended to keep the MFA enabled on location change to block access from untrusted networks and by non legitimate users.
    You can exclude specific locations from a policy by defining trusted locations or defining MFA trusted IPs. Please refer to the documentation -