Conditional Access MFA – Trusted Locations

In this guide we will learn how to set up basic MFA policy with Conditional Access and enable MFA bypass for trusted locations. Therefore after setting up this policy, users which will be located in trusted location will not need to check in with MFA.

Note: Public IP address must be set as Static, if IP is set as dynamic trusted location will stop working because IP address will change.

Before we start setting up the Conditional Access, we need to define trust location. Location will be determined based on IP Address. We can set multiple locations.


We need to name the location, enter a public IP Address with subnet mask /32 ( and mark it as trusted location.

Named Location


Select the users who will be included in the MFA policy

Users identities


Choose for which application policy will be enabled.

Cloud apps


In Conditions tab we can use previously created trusted location and exclude it. That means every device that has public IP address set as trusted location will not be prompted for MFA.


In the last step we grant access to applications but first we need to confirm identity with MFA if the device is not located in trusted location.

Leave a Reply