CA Location-Based MFA Exclusions [CHK-1182]
This check identifies Conditional Access policies that exclude specific locations or IP addresses from MFA requirements. It scans all enabled Conditional Access policies that enforce MFA (including both legacy MFA controls and modern authentication strength), then examines their location conditions for exclusions.
The check resolves named location IDs to their display names and categorizes them as IP-based, IP-based (Trusted), or Country-based. Locations configured in the allowed locations whitelist (CHK1182_allowedLocations) are excluded from reporting.
Rationale
Location-based exclusions in Conditional Access policies are a common configuration used to reduce MFA friction for users signing in from trusted office networks or known IP ranges. However, these exclusions introduce significant security risks that are often underestimated.
An attacker who gains access to a trusted network — through VPN compromise, network infiltration, or by physically being present at the location — can bypass MFA entirely. IP-based exclusions are particularly dangerous because attackers can route traffic through compromised infrastructure within trusted IP ranges. Country-based exclusions are even broader and easier to circumvent using VPN services or compromised hosts in the allowed country.
This check provides visibility into which policies have location exclusions so that security teams can assess whether each exclusion is still justified, properly scoped, and aligned with the organization's risk appetite. Regularly reviewing these exclusions is a critical part of maintaining a strong zero-trust posture.
Fix
No automated fix is available for this check.
Manual steps:
- Open the Azure Portal and navigate to Microsoft Entra ID > Protection > Conditional Access.
- Review each policy listed in the check output that has location-based MFA exclusions.
- For each excluded location, evaluate whether the exclusion is still necessary and properly scoped.
- Where possible, remove location exclusions and enforce MFA for all locations. Consider using compliant device requirements as an alternative to location-based trust.
- If a location exclusion must remain (e.g., a trusted office network), add it to the Allowed Locations whitelist (CHK1182_allowedLocations) with a documented justification.
- Ensure that excluded IP ranges are as narrow as possible — avoid broad CIDR ranges that cover more than the intended network.
Impact
This is a data-only monitoring check that does not create tickets or trigger alerts. It provides security teams with an overview of all location-based MFA exclusions across Conditional Access policies, enabling informed risk assessment. Removing unnecessary location exclusions strengthens the overall MFA posture by ensuring that authentication challenges are applied regardless of where the sign-in originates.
More Information
- Microsoft: Conditional Access - Location condition
- Microsoft: Define named locations in Conditional Access
- Microsoft: Securing Conditional Access policy configuration