Forum Discussion
Removing MFA for a group of users
Hi,
I'm fairly new to Entra ID and need some assistance with setting up a new CA policy for our users. Currently, we have a CA policy that enforces MFA for all users. There's a new requirement where we want to skip MFA for a group of employees when they're working on-site. I know I can create a location for our office IP and create a security group for these employees who need MFA disabled. If I exclude this group in the existing CA policy, it will disable MFA for these employees altogether no matter if they're working from home or on site. which is not the goal. We only want these users to skip MFA when they're working in the office.
Does anybody have any suggestions how I can achieve this? Any advice is appreciated.
Hi Galaxy876
You can create an additional Conditional Access policy that requires MFA but exempts Trusted Locations. Assign this policy specifically to the employee group, and make sure to exclude this group from your primary policy, which mandates MFA from any location. This setup ensures that users in the group won't need to perform MFA when working on-site but will still need to do so from other locations. Users not in the group will be governed by the primary policy requiring MFA from any location. Hope this helps.
Hi Galaxy876
You can create an additional Conditional Access policy that requires MFA but exempts Trusted Locations. Assign this policy specifically to the employee group, and make sure to exclude this group from your primary policy, which mandates MFA from any location. This setup ensures that users in the group won't need to perform MFA when working on-site but will still need to do so from other locations. Users not in the group will be governed by the primary policy requiring MFA from any location. Hope this helps.
- Wow, I didn't think of it that way. It worked. Thank you so much for your help !
