Back to GSO Recommendations

Conditional Access MFA Bypass Paths: Users Can Access Without Expected MFA

Why this risk matters

Most Microsoft 365 environments have at least one Conditional Access policy that enforces MFA. But having a policy is not the same as having MFA enforced. Bypass paths exist when the conditions under which MFA is required are narrower than the scenarios in which users actually sign in.

Overe flags Conditional Access configurations where MFA enforcement has gaps — users, groups, roles, applications, locations, device states, or platforms that are excluded or out of scope. These gaps mean that in certain circumstances a user can sign in to Microsoft 365 with just a password, even in an environment where admins believe MFA is fully enforced.

The problem is compounded by the fact that Conditional Access policies are evaluated at sign-in time. A bypass path that has existed for months may already have been used without any indication in the logs. The absence of alerts does not mean it has not been exploited.

What happens if this is abused

  • Attacker signs in using stolen credentials through a pathway that bypasses MFA — a trusted location, an excluded app, or a platform not covered by the policy
  • Credential-stuffed or phished credentials succeed because the MFA requirement is never triggered
  • Access obtained to Exchange Online, SharePoint, or other cloud apps without any authentication challenge
  • Attacker establishes OAuth app consent or inbox rules before MFA is eventually triggered on a different path
  • Persistent access maintained through tokens or app consents even after the bypass path is closed
  • Compromise goes undetected because no MFA failure or challenge appears in sign-in logs

When this is expected or acceptable

There are no fully acceptable MFA bypass paths for standard user access, though some configurations that appear as gaps are intentional design decisions.

Trusted location exclusions are common and appropriate when the locations are tightly controlled — corporate IP ranges, VPN exit nodes, or specific office networks. The risk is when trusted locations are too broad, stale, or include ranges no longer controlled by the organisation.

Some service accounts and automated workflows cannot satisfy MFA and require exclusion. These should be documented, monitored, and restricted to the specific application or IP range they require. Blanket exclusions covering all apps or all locations are a different risk profile.

Checks to perform before taking action

Before remediating a bypass path:

  • Review all Conditional Access policies that include an MFA grant control and map the full set of exclusions across them
  • Identify whether any users, groups, or roles are excluded from all MFA-enforcing policies
  • Check whether all Microsoft 365 applications and admin portals are within policy scope
  • Review whether trusted location definitions are current, accurate, and tightly scoped
  • Check whether any platforms — iOS, Android, legacy clients — are excluded from MFA policies
  • Identify sign-in events that did not trigger MFA and confirm whether these were expected
  • Use Overe to identify users who have recently signed in without completing an MFA challenge

Safe remediation steps

  1. Use Overe to map all users who can currently access Microsoft 365 without completing MFA
  2. For user or group exclusions, confirm whether each is documented and intentional — remove undocumented ones
  3. For trusted location exclusions, review whether the IP ranges are still accurate and tightly controlled
  4. For platform exclusions, confirm whether they are required and add compensating controls where necessary
  5. For service account exclusions, restrict them to the specific app and IP range required rather than applying a blanket exclusion
  6. Where policies conflict or have logical gaps, consolidate into a smaller number of clearly scoped policies
  7. Test changes in report-only mode before enforcing to understand the full impact

Where direct remediation is required, Overe provides links to the appropriate Microsoft admin controls to complete the action safely.

Overe Auto-Response: The Bypass MFA via Trusted IP alert can be configured in Overe to trigger automatic session revocation or account block when new IP addresses or CIDR blocks are added to MFA Trusted IPs. Review your Auto-Response settings under Org Config > Auto-Response — changes to trusted IP configuration should be treated as high-priority given the potential to silently expand MFA bypass scope.

Supporting documentation

Microsoft: Conditional Access policy conditions - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions

Microsoft: Troubleshoot Conditional Access sign-in problems - https://learn.microsoft.com/en-us/entra/identity/conditional-access/troubleshoot-conditional-access

Microsoft: Named locations in Conditional Access - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions#locations

Related risks and follow-on checks

  • Conditional Access exclusions creating risk
  • Admins with risky MFA settings
  • Unprotected admin portals
  • Legacy authentication exposure
TBD CTA