Forum Discussion
MFA using Conditional Access VS Additional cloud-based MFA settings
If you want the IP range exclusion to take effect, you need to add "all trusted locations" condition to your CA policy, or at least the "MFA trusted IPs" location.
- Just to clarify, i know i can use IP address range and location in both... But if i have an IP address range configured... Are the settings additve? Or will it ignore the MFA server settings if a CA policy is applied?
- Yes these 2 settings are additive. In the sense that most restrictive setting wins. If both allow, then MFA not needed. Hope this makes sense.
Also, basic MFA setting applies at tenant level, so be careful not to lock yourself out while testing it.Vikram V can you confirm that the rule for resolving conflicts is that the most restrictive policy wins? I was told that whatever was configured in the "Additional cloud-based MFA settings" blade had precedence over any conditional access rule.
Also, I'm trying to find the documentation for this scenario, but haven't been successful so far.
As far as I know, if you don't select locations options within the policy, it will use the settings defined in the standard MFA settings. If you define locations within the policy, the standard settings become irrelevant. That is my understanding. Admittedly though, I have never tested this exact scenario.
