A logic of Grant with Exclude to block the rest in Conditional Access

MVP
Hi AAD team and experts,
 
I have created to Conditional Access policies in order to understand how the Access Control's logic works.
  • Scenario 1: Block access to Any location, exclude whitelisted IP addresses - This works as expected.
  • Scenario 2: Grant access to whitelisted IP addresses, exclude non-whitelisted IP ranges - This doesn't work.
I'm unsure if the logic is designed for the scenario 1 only, which means the scenario is not workable.
 
Any thought?
0 Replies