This simply states that if a user is outside of the IP range or Country specified, then they will be asked for 2FA. if it is enabled on their account.
Should they provide a correct code, they will login. Otherwise, they will be blocked out.
If they do not have 2FA setup, then they will be blocked regardless.