I had a Conditional Access (CA) question, around building in multiple rounds of Conditional Access and whether it makes sense to do so.
Say there is a CA policy that checks whether a user is connecting from a network range or not. If not, then we want them to use Authenticator MFA. But does it make sense or is it possible also, to have an _additional_ CA to check whether that same off-range access request is also High risk. Can we or will it force a second Authenticator MFA in that case. Does it make sense even, to have that additional MFA check, because after all, the fact the MFA passed first time should be telling us that the user is who they say they are.
Or, can we create the CA such that the check is for whether the access is 1. on range (use Password) or 2. the request is <either> off-rangeorHigh Risk (use MFA).