question

timrichards-9940 avatar image
0 Votes"
timrichards-9940 asked ·

How to disable a users MFA when their status already shows as disabled

Hello there

during our project to get users configured in Azure MFA we have gone in to the o365 admin center - users - active users - multifactor authentication, finding the user and enabling MFA so they get the 'more information' screen to setup their ms authenticator app so their mfa status shows as 'enforced'.

however, some users didn't go through that process instead went to aka.ms/mfasetup. After they configure MFA their user account in the o365 admin center - users - active users - multifactor authentication still shows them as 'disabled'. Our issue is that we something have to remove their MFA (ie disable) but are unable to as their status is already 'disabled'.

we are unable at this stage to use conditional access so were wondering if there was a way out there for this to be done

azure-ad-multi-factor-authentication
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

Hi @timrichards-9940 · Thank you for reaching out.

When MFA is not enabled using Multi-factor Authentication Portal, and users directly go to aka.ms/mfasetup to do the MFA proofup, they just configure MFA Method e.g., MFA phone call/text message, which populates this information in StrongAuthenticationMethods attribute and the phone attribute under authentication methods of those users. However, as the MFA status of the users is disabled, they won't be prompted to perform MFA while accessing any cloud application protected with Azure AD authentication.

In short, they just have populated the information required to perform MFA but they won't be prompted to perform MFA until the status is enabled in the Multi-factor Authentication Portal (unless MFA is enabled via other methods like Conditional Access or Identity protection).

Now, if you want to clear the information that they have populated via aka.ms/mfasetup, and present them with 'more information required' screen, you can use below PowerShell cmdlet:

  1. Run Connect-MsolService and sign in with Global Admin Account.

  2. Run Set-MsolUser -UserPrincipalName username@your_tenant.onmicrosoft.com -StrongAuthenticationMethods @() to clear MFA information for the given user.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Amanpreet

Thanks so much for your help again. Ok, so i think I understand the difference now, thats excellent.

I guess another approach to make sure all users are configured is to open their record in the MFA portal, change status to 'enabled', go to Manage User Settings and tick 'require selected users to provide contacts method again. That way when they go through 'more information required' steps and set up the 'authentication app' method which is our preferred method their status will change to Enforced and they will then get prompted?

0 Votes 0 ·