Unable to use MFA trusted IPs in an exclude location policy

Brass Contributor

I’m playing around with conditional access policies to allow admins or service accounts to sign in without MFA on corpnet. To accomplish that I added an IP range in the MFA trusted IPs list.

I then tried to create a CA policy that excludes the MFA trusted IPs list but sign ins still require MFA.

However if I create a Named location and add the same IP range and the use that named location in my exclude policy, sign-ins without MFA works fine.

I've tried this in multiple tenants, without luck. No ADFS, cloud-only accounts with E3 + P2 trial.
Anyone got this to work?



1 Reply

Adding the range to Trusted IPs in the MFA portal should work, and has been working for me for years now. Then again, we are slowly moving to the point when Microsoft will ditch the old MFA portal and bring all the settings in the Azure blade, so simply using the named location is a better solution (and one that does work in your case).