Trusted IP addresses ignored in Azure CA policies


This content can now be found at

We have a client who has a line of business app that syncs its content to Office 365 on a per-user basis, so each user’s password has to be entered into it. However, the software can’t MFA, so we created an exception for their public IP address in their MFA-enforcing Azure AD Conditional Access policy.

Well, that worked until they moved premises, of course, so we modified the CA policy to exclude their new public IP address, but the LOB software failed to connect, and Azure logged the failures as failing the MFA challenge:

For SEO:

Multi-factor authentication
Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access ‘{resource}’.
Solution: the auth attempts were accepted only once we replaced the old IP addresses here with their new IP public IP address.
I hope this helps someone!