This guide describes how to create a [[Microsoft Entra Conditional Access|Conditonal Access]] policy to enforce [[Multi Factor Authentication (MFA)]] inside of [[Entra ID|Microsoft Entra ID]]. It also involves creating a group of users that are **excluded** from MFA, however they are only able to sign in from specific IPs. This requires a static IP address. # Create Entra ID Group Create 'MFA Limited IPs' group. This group will hold users that will not require MFA but will only be able to sign in from specific IPs. ## Exclude from Registration Campaign 1. Browse to **Security** > **Authentication Methods** > **Registration Campaign**. 2. For **Excluded users and groups** add your 'MFA Limited IPs' group that was created previously # Create MFA Required Policy 1. Browse to **Protection** > **Conditional Access**. 2. Select **Create new policy**. 3. For **Name** enter 'MFA Required' 4. Under **Assignments**, select **Users or workload identities**. 1. Under **Include**, select **All users** 2. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts. 5. Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**. 1. Under **Exclude**, select any applications that don't require multifactor authentication. 6. Under **Access controls** > **Grant**, select **Grant access**, **Require multifactor authentication**, and select **Select**. 7. Confirm your settings and set **Enable policy** to **Report-only**. 8. Select **Create** to create to enable your policy.