May 20 2020
- last edited on
Jan 14 2022
We current have some IP Address Range exception and 14 days browser saving enabled in the "Additional cloud-based MDA Settings" will these setting work in combination with Conditional Access Policy? or will a CA Policy take precedence over these settings?
May 21 2020 12:14 AM
Hi, the Conditional Access portal allows you to browse to the Configure MFA trusted IP's as shown below;
Selecting this takes you to the MFA service settings shown below.
So you should have no issue with this. Conditional Access policies to enforce MFA will take effect even if the user has not been set to enabled for MFA, which is what CA is all about and how you want it to work.
The verification options and remember MFA options that you set should work just fine in conjunction with CA though.
May 21 2020 12:15 AM
If you want the IP range exclusion to take effect, you need to add "all trusted locations" condition to your CA policy, or at least the "MFA trusted IPs" location.
May 21 2020 12:29 AM
May 21 2020 12:44 AM
May 21 2020 12:50 AM
As far as I know, if you don't select locations options within the policy, it will use the settings defined in the standard MFA settings. If you define locations within the policy, the standard settings become irrelevant. That is my understanding. Admittedly though, I have never tested this exact scenario.
May 25 2020 07:29 AM
Feb 24 2022 12:41 PM
@Vikram V can you confirm that the rule for resolving conflicts is that the most restrictive policy wins? I was told that whatever was configured in the "Additional cloud-based MFA settings" blade had precedence over any conditional access rule.
Also, I'm trying to find the documentation for this scenario, but haven't been successful so far.