Forum Discussion
Conditional access policy for internal network: Need advice
Hi,
I've set up a test conditional access policy in one of my tenants to exempt users on the local network from (MFA).
However, the devices are still prompting for MFA. I'm hoping someone can review my settings and advise if they are correct.
My Configuration:
- Named Location: Created a named location with my internal IP range.
- Policy:
- Users: One test user account (for testing purposes)
- Target Resource: All cloud apps
- Conditions:
- Device: Any device
- Location: Any location except my named location (internal network)
- Client apps: Not configured
- Filtered for devices: Not configured
- Access Control: Grant access, require MFA (except when conditions are met)
Question:
With this configuration, should the devices stop asking for MFA after the initial login when on the internal network?
Or will they continue to prompt for MFA every time?
Thanks for any help given
Koops
3 Replies
Hi Koops,
The following steps may be of help to resolve the issue at hand:
1. First, you must identify the client device's public IP address, which you can get from whatismyIP.
2. Once the IP address has been identified, you need to verify that the public IP address is exempt from the location. This is necessary to ensure that there are no restrictions or blocks in place that might be causing the issue.
3. We need to check the sign logs to see where the system is blocking. This will help you pinpoint the exact cause of the issue and take the necessary steps to resolve it.
I hope this helps. Let me know if you have any further questions or concerns.
Regards
Muthu- Location: Any location except my named location (internal network)
Microsoft does not see you as an internal network. This should be the Egress IP Addresses of your Internet connection using something like WhatIsMYIP.
Alos, you need to configure those named networks using the Egress IP Addresses if you have not done so.
- Hi Koops,
It won't ask for MFA every time, but there is an interval where the user's location will be evaluated. Take a look at the below learn page:
https://learn.microsoft.com/en-us/entra/identity/conditional-access/location-condition#when-is-a-location-evaluated
I would recommend you take a look at this overview on Learn about Conditional Access.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/
