How to disable MFA for a single user

COTM admin 10 Reputation points
2023-09-26T23:34:42.9666667+00:00

How can I disable MFA for a single user in Azure

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,732 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 43,966 Reputation points
    2023-09-27T08:32:21.31+00:00

    Hello COTM admin,

    The answer is very straight forward. You can disable MFA on single basis through:

    Go to Microsoft 365 admin center -> Users -> Active users -> Select the user -> Manage multifactor authentication -> Select the user -> Disable multi-factor authentication.

    --If the reply is helpful, please Upvote and Accept as answer--

  2. Ben Gibson 0 Reputation points
    2024-05-02T20:12:51.43+00:00

    In my experience, the answer is anything but straightforward, in most cases. The exact process depends on a host of various factors, including what policies in place, admin permissions of the user, Azure subscriptions, whether this is for a new user or an existing user, (if it an existing user) whether MFA has already been configured on the account, and much more.

    The complexities involved is probably why it is so hard to find a clear AND accurate answer to this seemingly-simple question that works for everyone.

    With that said, for smaller organizations using Microsoft 365 Basic or Premium licenses with no additional Azure subscriptions who are trying to disable MFA for a user that has already registered for it, I think this GUI-only, non-PowerShell process might answer the question:

    1. Disable Security Defaults for the organization. (If this is enabled, it acts as an “override all” and gives no flexibility to disable individual users, regardless of what you seem to see elsewhere in the admin environment.)
      1. https://portal.azure.com/#blade/Microsoft_AAD_ConditionalAccess/SecurityDefaults
      2. Alternatively, scroll to the bottom of this page and click the “Manage security defaults” link: https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties
    2. Ensure that MFA is disabled for the user in question. https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?BrandContextID=O365
      1. Optionally, ensure that MFA is enabled or enforced for all other users. (HIGHLY recommended!)
    3. Revoke previous MFA configurations on the user.
      1. https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers/menuId/
      2. Select the user from the list
      3. In the “Manage” section of the left menu for the user, select “Authentication methods”
      4. From the toolbar above the resulting pane, click “Revoke multifactor authentication sessions”. You may need to click the ellipsis (three dots) on the toolbar to view that choice.

    Again, there are myriads of places to invoke policies and set other MFA-related settings, so this process will definitely not work for everyone's environment. The above links will likely change in time, and I may even have left out some prerequisite steps! But hopefully it gives some clarity to someone.

    0 comments