Share via

How to configure conditional access policy so that MFA required if device IP address changes

Ros Gray 0 Reputation points
2025-03-04T19:14:16.01+00:00

I am trying to configure a conditional access policy to require a user to input MFA if the IP address of their device changes. Is this possible?

I've done some testing. If I set up a conditional access policy to require MFA and set the session sign in frequency to 'every time', then users are being prompted more than necessary for MFA - during the day, sitting at their desk (whether at the corporate site or WFH). If I change the session sign in frequency to say, 8 hours, then if the device is shut down, moved to another IP address and then opened up again, the session seems to carry over and no MFA is required - so they can go from the corporate site to WFH and not be required to put in MFA. Most importantly, this means that, e.g. if they leave the device on a train, the device is not particularly secure.

I might be stuck in an unnecessary hypothetical - it just seem odd that you can't configure a conditional access policy to trigger MFA requirement on a change of IP - as all the data is there - I can see the identification of the change in IP address on the sign-in logs - so thinking it might be user error - I just can't find anything on this in the Microsoft learn etc.

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
800 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jose Benjamin Solis Nolasco 631 Reputation points
    2025-03-04T20:24:54.49+00:00

    Hello @Ros Gray

    Unfortunately, there isn’t a native Conditional Access configuration that forces an MFA prompt solely on an IP address change for an existing session.

    That's why your MFA configuration items are just;

    1- Named Locations

    2- Risk-Based Conditional Access (Azure AD Identity Protection): Incorporate risk evaluation into your Conditional Access policies.

    Here are some details and workarounds that might help clarify the situation:

    Why It Doesn’t Work Out-of-the-Box

    • Token Lifetimes & Session Management: Once a user successfully signs in and receives access/refresh tokens, those tokens are valid for a duration defined by your token lifetime policy and your session controls. Even if the IP address later changes, the session continues to remain authenticated until the token expires or an event forces a new authentication request. This is why reducing the session sign-in frequency to “every time” triggers MFA every time (which is often more than you’d like) while a longer period (e.g., 8 hours) carries over even after an IP change.
    • Conditional Access Limitations: The Conditional Access engine currently evaluates conditions during the sign-in event. If the sign-in occurs from a new or untrusted location, you can require MFA. However, once the session is established, it isn’t re-evaluated continuously based on changes in the client’s IP address.

    If you found it helpful, could you kindly click the “Accept Answer and upvote” on the post.

    If you have any further queries, please let us know we are glad to help you.

    0 comments
  2. Jose Benjamin Solis Nolasco 631 Reputation points
    2025-03-06T13:28:25.17+00:00

    Just following up, Do you need more guidance or assistance ?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.