question

AgatSaaS-6528 avatar image
0 Votes"
AgatSaaS-6528 asked ITON-Technologies-TomaszWieczorkowski answered

How to disable MFA from Azure AD

I want to disable MFA in Azure AD.
When I go to Azure AD -> Users -> Multi Factor Authentication, I can see that MFA is disable.
However, whenever I am logging to the Azure Portal I am required to insert a code sent to my mobile device. Why is that?

Another thing, each user is required to use MFA. I do not want to force that. How can I disable this?

azure-active-directory
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes I will shut MFA it disable are enable

0 Votes 0 ·

Did you also consider the fact that conditional access requires Azure AD premium? Microsoft just creates matrix of permutations and combinations. Just give a simple policy to allow certain users not to have MFA. Instead of making me turn off all of the security defaults (looks scary, and is that the marketing trick to make me buy premium, i would rather pay for AWS). I cannot even see what I miss when i turn off security defaults. Microsoft has this licensing mentality that makes it difficult to create a user/customer friendly product.

0 Votes 0 ·

Merci beaucoup pour votre post. Cela fait des heures que je cherche une solution. Grâce à vous, c'est chose faite. Merci

0 Votes 0 ·

Did you ever find a result to this please?

I have checked:
1. MFA service portal and all my users are set to disabled
2. Have checked the Properties and Security defaults and this is also off

My issue is when setting up MEM autopilot, just as it goes to log the user in, I get the "more information required" which forces the user to enter a mobile.

We're slowly migrating from on prem to AAD, so didn't want MFA until we had everyone moved across.

Anyone have any ideas please?



0 Votes 0 ·

It's Windows Hello for business.

We have students using autopilot devices so had to disable it so that it didn't ask them this question on first sign in

2 Votes 2 ·
michev avatar image
9 Votes"
michev answered dannyyoo commented

This is most likely because of the Security defaults feature: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults
Read the article above to learn more about it, including how to disable it if needed (although not recommended).

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The only correct/useful answer

5 Votes 5 ·

This was my problem as well. It can only be attributed to user error because it clearly states in the Admin panel that users will have 14 days to set up Microsoft MFA when security defaults are turned on. I just did not read or comprehend it.

0 Votes 0 ·

Thank you so much! All users have been bugging me about turning that off. Googling the right keywords led me here after 20min.

0 Votes 0 ·

Thank you.

0 Votes 0 ·
soumi-MSFT avatar image
4 Votes"
soumi-MSFT answered KieferjoeCopp-1586 commented

@AgatSaaS-6528, There are only two ways to enable and disable Azure MFA in AAD.

  1. Using Conditional Access policies

  2. Using the MFA service portal

7536-mfaenable.png

If the MFA for the users have been enabled using the CA policy, then it can be disabled only through the CA policy and if its enabled through the MFA service portal, then you can go to the service portal and select the users for whom you want the MFA to be disabled.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.



mfaenable.png (20.6 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NOPE Wrong - the correct answer was submitted michev

0 Votes 0 ·

No it wasn't at all, so keep your petulant posting to yourself. I have this feature disabled but have the same fault as the person that posted. People like you need banning from forums literally just bad energy and not helpful at all!

0 Votes 0 ·
jLight avatar image
1 Vote"
jLight answered cmitnf-0877 commented

What is your use case? Best practice is to have MFA enabled but set Conditional Access to whitelist things, like your Office IP address or even registered devices.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Well, my use case is that I'm working through some tutorials on docs.microsoft.com and the example console apps don't account for MFA. I'm thinking it would probably be quicker to disable MFA for my test user than to wait for those tutorials to be rewritten.

0 Votes 0 ·

While you're testing, you can create a Conditional Access to exempt your account for requiring MFA.
If you can provide the specific guides you're following - we can probably provide the solution or workaround. i.e. with PowerShell for O365, there are ways how to connect when MFA is enabled... You don't have to wait ;) Solutions are out there!

0 Votes 0 ·

Just what I needed - a lecture on MFA
Very annoying and not helpful. I want to control MFA from the MFA management in Exchange. Not a global override.

0 Votes 0 ·
ViaguladasRinaldo-2277 avatar image
0 Votes"
ViaguladasRinaldo-2277 answered

As ColinSmith mentioned, this could be coming from the local "Windows Hello PIN".

Heres how to disable it from the Registry:

Press Windows key and R key together to open Run dialog.
Type regedit in the box and click OK to continue.
Navigate to the path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowSignInOptions.
In the right panel, double-click on the DWORD entry named value and set it to 0.

Have a great day!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ITON-Technologies-TomaszWieczorkowski avatar image
0 Votes"
ITON-Technologies-TomaszWieczorkowski answered

Within the Azure AD there are 3 methods to configure MFA.

  1. By default there is an Azure Active Directory settings called - "Security Defaults". You can enable/disabled that in Azure Portal -> Azure Active Directory -> Properties -> Manage security defaults (link at the bottom of the page) -> Enable/Disable. If you disable it then the MFA will not be a default for all users and it will be controlled by the point 2 or 3 described below.

  2. Manual per-user MFA. This you can find and configure in Azure Active Directory. Azure Portal -> Azure Active Directory -> Users -> per-user multifunction authentication. There you can select all or single users and set them to MFA Disabled/Enabled/Enforced. In general it is recommended to use MFA as it improves user authentication security layer. But, there are cases where there may be requirement to disable MFA for particular or all accounts e.g. a business critical application which cannot function with the MFA enabled (or just a user lazyness or will). It is a rare case - most modern applications supports MFA - but there is such possibility.

  3. Conditional Access - if you have Azure Active Directory P1 or P2 Premium license then you can disable Microsoft security defaults and next implement Conditional Access (policies) to e.g. enforce MFA for the Global Administrators, administrative accounts, general users, but for example exclude MFA for a specific accounts e.g. for that business critical legacy apps which do not support MFA or just a "lazy" who do not want to use MFA as well - - not recommended but it is possible to configure) A strong password would be a good practice in that case to have some minimal security at least. Within the Conditional Access policy you can configure additional elements to improve the security.


If you would like to configure Conditional Access and have some knowledge about the MFA the good article has been mentioned above:

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults\

and one more:

https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication\

Best regards,
Tomasz Wieczorkowski


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.