We typically enable two Conditional Access Polices for users. 1 for general users where known public IPs are whitelisted from the MFA CAP, and 1 for users with an admin role to be prompted for MFA no matter their location.
Currently, NMM strips the Azure Roles in the parent cloned CAP. We tested building a CAP template with the Azure Roles included in the settings, but publishing to other tenants also strips the roles from the CAP.
Comments (2 comments)