Disable MFA for an individual Azure AD User

DisableMFAForAADUser.md

Disabling MFA for an Azure AD User

Azure AD MFA is not enabled by default for AAD and Microsoft 365 users, but it will be if during setup an admin chooses to Enable Security Defaults on Azure AD (as most will when prompted to do so: after all, who in their right mind wouldn't require MFA?).

However, there are situations where being able to toggle MFA on or off for a particular user can be useful. For example, in a development or test tenant when working with sample code from Microsoft that doesn't account for MFA (like a simple Microsoft Graph console app). This procedure involves disabling Security Defaults on AAD.

There may be licensing/billing issues with doing this. As of this writing Security Defaults are the official way to enable MFA without a costly Premium (P1 or P2) AAD subscription. My current learning environment uses a "free" developer sandbox (courtesy of the Microsoft 365 Developer Program) which comes with AAD P2, so YMMV.

Here are the steps:

1. Go to the AAD Admin Center. Drill down to Azure Active Directory... Manage... Properties... Manage Security defaults and select No to "Enable Security Defaults", then Save.

2. Next, go to Azure Active Directory... Manage... Users... Click on the elipsis (...) and then the Multi-Factor Authentication link (if the link is greyed-out, Security Defaults are still enabled).

3. The link will jump you out to a "multi-factor authentication" page. There select a user or users and then click on Disable under "quick steps" if MFA is currently Enabled for them. Answer Yes to confirm. To re-enable MFA for that user, select them again and click Enable. Note you may have to go through MFA setup for that user after enabling.

NOTES:

1. The styling of the "multi-factor authentication" page is just cheesy enough for me to think it is a temporary quick-fix and will probably be replaced at some point in the future.

2. I personally recommend always using Microsoft's Security Defaults unless special circumstances exist, and then only so long as necessary. MFA has proved itself as one of the most effective means of foiling system incursions, and anyone who fails to deploy it wherever they can is a fool.

Resources:

Azure Active Directory security defaults

Enable per-user Multi-Factor Authentication

Hi,

I want to exclude all types of MFA for some programmatically created user resides in a particular group and for a particular App registered in the MS Teams account. Could you please let me know how can I do it for conditional MFA.

I am creating users by code which are assigned to the group by their principal name pattern. I am using these users to create some app subscriptions for other normal users present in the MS Teams account. Therefore these dynamically created user should not be part of any conditional MFA.

I tried with Conditional MFA (Require MFA for All users).
I gave the group name and app name in exclude section, but its not working. When I turn off the conditional MFA then I am able to create subscription using these users.

Yours is a complex requirement that's beyond me. You should post it to the Microsoft community forums to see if anyone there can come up with a solution.

@paritoshnice how'd you go?

Thanks, I'm amazed how hidden away the options are

@plembo I do have a problem with this: "Next, go to Azure Active Directory... Manage... Users... Click on the elipsis (...) and then the Multi-Factor Authentication link". What is the "elipsis"? Where it is supposed to be? I checked B2C tenant as well as B2B tenant and I have not found what you are describing. Is it supposed to be some kind of button or?

@GregorGrinc I hesitate to offer an image, because it has been 2 years since I looked at this and so many things have changed (and are constantly changing) in the interface, but here it is: https://github.com/plembo/onemoretech/blob/main/img/PerUserMFA.png

The "ellipsis" is the three horizontal dots at the far right of the Users page, often referred to as an "overflow menu". Click on that to get to the "new and approved" menu items. Please note that when I wrote this I wasn't working with either a B2C or B2B tenant. As stated at the outset, this was discovered on a free developer tenant that at the time had a limited P2 license. Always check the latest official documentation, and then go to the many Microsoft oriented discussion boards for further clarification.

@plembo thank you, very helpful. Lucky I saw this before MS changed the UI ;)

I had the same issue.

Suddenly all users started getting

your organization needs more information to keep your account secure

No way to bypass this.

What helped me was:

1. 
2. 

hi @bitroniq , I have already disable the Security defaults, but all users still getting the error.

feels like the error is from Azure, checked at 365 admin center and mysignins.microsoft.com/security-info, mfa already disabled or removed.

at Azure, Password reset > Auth Methods, tried to disable Microsoft Authenticator, but no use.

is it Azure mfa policy have changes or something? btw the Azure tenant is newly created, when I login for first time, it force me to enable mfa for the admin account.

So after enabled it, set up the other users, then I removed the mfa for the admin account from mysignins.microsoft.com/security-info and disable the Security defaults in Azure (seems like for newly created tenant, this setting is defaulted as enabled).

when I login using admin account or other user accounts, keep getting this error.

any place that I miss out?

Thanks in advance.

found it, is it this setting? but seems like it need Microsoft Entra ID P2 license only allow to edit it.

is there any workaround?

Unfortunately, I no longer have access to AAD (Entra Id) due to Microsoft's ending the free M365 Developer tenant program (you can still get a tenant if you buy a Visual Studio subscription for $$$), so I really can't help.

Unfortunately, I no longer have access to AAD (Entra Id) due to Microsoft's ending the free M365 Developer tenant program (you can still get a tenant if you buy a Visual Studio subscription for $$$), so I really can't help.

thanks for answering, I see what else can be done as workaround