![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 12%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELR%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,459 questions
Hi @Lavanya Roy • Thank you for reaching out.
When there are multiple CA policies in place with conflicting conditions, all the policies are evaluated but the most restrictive one gets applied. In your case, the first policy grants access to all users after they perform MFA, and the second policy blocks access for users from the specified countries. When users from the US try to sign in, they will be within the scope of both the policies, and after evaluating both the policies, the most restrictive one gets applied.
Ideally, the WhatIf tool should show both the policies but I've seen "not enough information" is returned when the tool is not able to map the conditions to the policies and requires you to relax the conditions. For the policies with "not enough information", try running the query without IP and country.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.