MFA - Exclusive user exempted from using MFA

Brass Contributor

Hello good afternoon!

First of all, sorry if the language is not clear. I'm using an online translator to help me...


Well, I looked like, based a lot on what I saw in official courses but I think my reality puts an obstacle in the situation.


In my organization, the use of MFA is indispensable. However, there may be some users who should be excused from use when in the workplace. However, in this same place, there are other users who are not exempt from the use.


I used the Conditional Access policies but at some point I get lost. If I nominate the entire network as trusted for MFA, it will dispense with the use for everyone from the same location.


In addition, there is a routine that we have, which every day makes the MFA mandatory for all users.


Directly: What I want is to create a situation where in a given place a single user is exempted from MFA. And let the rest go on with normal life.


Is there any solution for this? Any directions in this direction?


Thank you very much for your help on this matter....

4 Replies

In Conditional Access, you can set a policy to exclude certain users or groups based on their location.
You may need two policies: a baseline policy enforcing MFA generally across your tenant, and a secondary policy which excludes users based on their location.


You can make sure more conditions to 'some excused users', say by Computer, Mobile object, user and group

Hello friends,
Very Good Morning!!!

Well, really, I confirm that the main action of Conditional Access rules is applied "from" a place "on" users. Even though we are apparently manipulating users.

In this way, I used the idea of ​​Jonathan_Reed as a starting point to build my solution. How I did:

1.1) I even created one, saying that of all users accessing from a location, accessing cloud applications, MFA is required, except those I don't want to use MFA.

1.2) For those who don't want to use MFA, I've disabled this setting;

2) A second rule - of guarantee - that users who don't use it don't use MFA can only log in from a single location.

Carrying out tests was the closest to the desired success with real success. In fact, what was desired was for the MFA to be mandatory without exceptions, but this type of situation always arises in which the direction lacked a firm grip.

E Kidd_Ip, I would really like to be able to mitigate better, for example by determining that he can only use "that" computer, with that Operating System, with a specific version etc etc etc... but I understand - and I could be wrong and feel free to correct me -, in my case we are only Office 365 contractors, which makes me not able to collect this data from users' devices OR even define these.

But I ask: is it possible?
best response confirmed by tcboeira (Brass Contributor)


Are you able to access AAD or collect that information from?

1 best response

Accepted Solutions
best response confirmed by tcboeira (Brass Contributor)


Are you able to access AAD or collect that information from?

View solution in original post