Skip to content

Instantly share code, notes, and snippets.

@plembo

plembo/DisableMFAForAADUser.md

Last active April 24, 2025 01:36
Show Gist options
  • Save plembo/c4c45499d29052d533e87e9d8b151a13 to your computer and use it in GitHub Desktop.
Save plembo/c4c45499d29052d533e87e9d8b151a13 to your computer and use it in GitHub Desktop.
Download ZIP
Disable MFA for an individual Azure AD User
Raw
DisableMFAForAADUser.md

Disabling MFA for an Azure AD User

Azure AD MFA is not enabled by default for AAD and Microsoft 365 users, but it will be if during setup an admin chooses to Enable Security Defaults on Azure AD (as most will when prompted to do so: after all, who in their right mind wouldn't require MFA?).

However, there are situations where being able to toggle MFA on or off for a particular user can be useful. For example, in a development or test tenant when working with sample code from Microsoft that doesn't account for MFA (like a simple Microsoft Graph console app). This procedure involves disabling Security Defaults on AAD.

There may be licensing/billing issues with doing this. As of this writing Security Defaults are the official way to enable MFA without a costly Premium (P1 or P2) AAD subscription. My current learning environment uses a "free" developer sandbox (courtesy of the Microsoft 365 Developer Program) which comes with AAD P2, so YMMV.

Here are the steps:

  1. Go to the AAD Admin Center. Drill down to Azure Active Directory... Manage... Properties... Manage Security defaults and select No to "Enable Security Defaults", then Save.

  2. Next, go to Azure Active Directory... Manage... Users... Click on the elipsis (...) and then the Multi-Factor Authentication link (if the link is greyed-out, Security Defaults are still enabled).

  3. The link will jump you out to a "multi-factor authentication" page. There select a user or users and then click on Disable under "quick steps" if MFA is currently Enabled for them. Answer Yes to confirm. To re-enable MFA for that user, select them again and click Enable. Note you may have to go through MFA setup for that user after enabling.

NOTES:

  1. The styling of the "multi-factor authentication" page is just cheesy enough for me to think it is a temporary quick-fix and will probably be replaced at some point in the future.

  2. I personally recommend always using Microsoft's Security Defaults unless special circumstances exist, and then only so long as necessary. MFA has proved itself as one of the most effective means of foiling system incursions, and anyone who fails to deploy it wherever they can is a fool.

Resources:

Azure Active Directory security defaults

Enable per-user Multi-Factor Authentication

@ZjTham
Copy link

ZjTham commented Apr 24, 2025

Unfortunately, I no longer have access to AAD (Entra Id) due to Microsoft's ending the free M365 Developer tenant program (you can still get a tenant if you buy a Visual Studio subscription for $$$), so I really can't help.

thanks for answering, I see what else can be done as workaround

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment