I'm trying to wrap my head around some conditional access policies at work that I didn't set up myself. One of them blocks access to Office 365 for all users, except for a Remote group and a few specified locations. What I'm not clear on is whether members of that Remote group are automatically allowed access without any additional rules—like MFA requirements or device compliance checks.
Also, if there's a policy letting users access all apps with MFA, but another policy requires both MFA and a hybrid device, does that mean a user trying to connect with a non-hybrid device gets access anyway due to the first policy?
Finally, if a rule blocks all non-US connections, do I need to include US locations in every allow rule? I'm just trying to understand how these policies overlap and what the gaps might be.
1 Answer
Just a heads up, conditional access doesn't have a default deny. If there aren't any policies that apply, then access is allowed. So, in your case, if there's no explicit allow rule for that Remote group, they aren't blocked by default because they’re excluded from the block rule. But that doesn’t mean they get unrestricted access—other policies, like MFA, could still apply to them.
Thanks for clarifying! So, they could still be required to do MFA even though they're in the Remote group?