Contoso uses Microsoft Entra ID P1 licenses and has a dedicated corporate office with static public IP addresses. The company wants to require MFA for all users, but exempt users when they connect from the corporate office. Which configuration should the administrator implement?
Excluding the corporate office location ensures users connecting from those trusted IPs bypass MFA, while everyone else must satisfy the MFA requirement.
Why this answer
Option B is correct because a Conditional Access policy can target all users, require MFA as a grant control, and exclude the corporate office location (defined by static public IP addresses as a named location). This ensures MFA is enforced for all connections except those originating from the trusted corporate network, aligning with the requirement to exempt users at the office.
Exam trap
The trap here is that candidates often confuse 'include' and 'exclude' in Conditional Access conditions, mistakenly thinking that including the office location will exempt it, when in fact excluding the location is required to bypass MFA for that trusted network.
How to eliminate wrong answers
Option A is wrong because including the corporate office location as a condition would require MFA even when users connect from the office, which contradicts the exemption requirement. Option C is wrong because Per-User MFA is a legacy, less flexible approach that does not support location-based exemptions via Conditional Access; trusted IPs in MFA settings only bypass MFA for the MFA prompt itself but do not integrate with the granular policy controls of Conditional Access. Option D is wrong because targeting the corporate office location and granting access with MFA for all other locations is syntactically incorrect—Conditional Access policies grant access based on conditions, not by targeting a location to grant MFA elsewhere; the correct approach is to exclude the trusted location from the policy that requires MFA.