cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to use MFA trusted IPs in an exclude location policy

Douglas Hamilton
Brass Contributor

‎Jun 05 2018 11:26 AM - last edited on ‎Jul 27 2020 06:32 PM by

‎Jun 05 2018 11:26 AM - last edited on ‎Jul 27 2020 06:32 PM by

Unable to use MFA trusted IPs in an exclude location policy

Hi,
I’m playing around with conditional access policies to allow admins or service accounts to sign in without MFA on corpnet. To accomplish that I added an IP range in the MFA trusted IPs list.

I then tried to create a CA policy that excludes the MFA trusted IPs list but sign ins still require MFA.

However if I create a Named location and add the same IP range and the use that named location in my exclude policy, sign-ins without MFA works fine.

I've tried this in multiple tenants, without luck. No ADFS, cloud-only accounts with E3 + P2 trial.
Anyone got this to work?

MFA.png

 

Labels:
3,191 Views
0 Likes
1 Reply
Reply
1 Reply
Vasil Michev

‎Jun 06 2018 10:19 AM

‎Jun 06 2018 10:19 AM

Re: Unable to use MFA trusted IPs in an exclude location policy

Adding the range to Trusted IPs in the MFA portal should work, and has been working for me for years now. Then again, we are slowly moving to the point when Microsoft will ditch the old MFA portal and bring all the settings in the Azure blade, so simply using the named location is a better solution (and one that does work in your case).

0 Likes
Reply