Skip to content

Instantly share code, notes, and snippets.

@plembo

plembo/DisableMFAForAADUser.md

Last active April 16, 2024 12:17
Show Gist options
  • Star 9 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save plembo/c4c45499d29052d533e87e9d8b151a13 to your computer and use it in GitHub Desktop.
Save plembo/c4c45499d29052d533e87e9d8b151a13 to your computer and use it in GitHub Desktop.
Download ZIP
Disable MFA for an individual Azure AD User
Raw
DisableMFAForAADUser.md

Disabling MFA for an Azure AD User

Azure AD MFA is not enabled by default for AAD and Microsoft 365 users, but it will be if during setup an admin chooses to Enable Security Defaults on Azure AD (as most will when prompted to do so: after all, who in their right mind wouldn't require MFA?).

However, there are situations where being able to toggle MFA on or off for a particular user can be useful. For example, in a development or test tenant when working with sample code from Microsoft that doesn't account for MFA (like a simple Microsoft Graph console app). This procedure involves disabling Security Defaults on AAD.

There may be licensing/billing issues with doing this. As of this writing Security Defaults are the official way to enable MFA without a costly Premium (P1 or P2) AAD subscription. My current learning environment uses a "free" developer sandbox (courtesy of the Microsoft 365 Developer Program) which comes with AAD P2, so YMMV.

Here are the steps:

  1. Go to the AAD Admin Center. Drill down to Azure Active Directory... Manage... Properties... Manage Security defaults and select No to "Enable Security Defaults", then Save.

  2. Next, go to Azure Active Directory... Manage... Users... Click on the elipsis (...) and then the Multi-Factor Authentication link (if the link is greyed-out, Security Defaults are still enabled).

  3. The link will jump you out to a "multi-factor authentication" page. There select a user or users and then click on Disable under "quick steps" if MFA is currently Enabled for them. Answer Yes to confirm. To re-enable MFA for that user, select them again and click Enable. Note you may have to go through MFA setup for that user after enabling.

NOTES:

  1. The styling of the "multi-factor authentication" page is just cheesy enough for me to think it is a temporary quick-fix and will probably be replaced at some point in the future.

  2. I personally recommend always using Microsoft's Security Defaults unless special circumstances exist, and then only so long as necessary. MFA has proved itself as one of the most effective means of foiling system incursions, and anyone who fails to deploy it wherever they can is a fool.

Resources:

Azure Active Directory security defaults

Enable per-user Multi-Factor Authentication

@paritoshnice
Copy link

Hi,

I want to exclude all types of MFA for some programmatically created user resides in a particular group and for a particular App registered in the MS Teams account. Could you please let me know how can I do it for conditional MFA.

I am creating users by code which are assigned to the group by their principal name pattern. I am using these users to create some app subscriptions for other normal users present in the MS Teams account. Therefore these dynamically created user should not be part of any conditional MFA.

I tried with Conditional MFA (Require MFA for All users).
I gave the group name and app name in exclude section, but its not working. When I turn off the conditional MFA then I am able to create subscription using these users.

@plembo
Copy link
Author

plembo commented Dec 1, 2021

Yours is a complex requirement that's beyond me. You should post it to the Microsoft community forums to see if anyone there can come up with a solution.

@sdokmak
Copy link

sdokmak commented Nov 30, 2022

@paritoshnice how'd you go?

@mendhak
Copy link

mendhak commented Nov 30, 2022

Thanks, I'm amazed how hidden away the options are

@GregorGrinc
Copy link

@plembo I do have a problem with this: "Next, go to Azure Active Directory... Manage... Users... Click on the elipsis (...) and then the Multi-Factor Authentication link". What is the "elipsis"? Where it is supposed to be? I checked B2C tenant as well as B2B tenant and I have not found what you are describing. Is it supposed to be some kind of button or?

@plembo
Copy link
Author

plembo commented Mar 16, 2023
edited

@GregorGrinc I hesitate to offer an image, because it has been 2 years since I looked at this and so many things have changed (and are constantly changing) in the interface, but here it is: https://github.com/plembo/onemoretech/blob/main/img/PerUserMFA.png

The "ellipsis" is the three horizontal dots at the far right of the Users page, often referred to as an "overflow menu". Click on that to get to the "new and approved" menu items. Please note that when I wrote this I wasn't working with either a B2C or B2B tenant. As stated at the outset, this was discovered on a free developer tenant that at the time had a limited P2 license. Always check the latest official documentation, and then go to the many Microsoft oriented discussion boards for further clarification.

@chrisrickard
Copy link

chrisrickard commented Mar 24, 2023
edited

@plembo thank you, very helpful. Lucky I saw this before MS changed the UI ;)

@bitroniq
Copy link

I had the same issue.

Suddenly all users started getting

your organization needs more information to keep your account secure

No way to bypass this.

What helped me was:

  1. image
  2. image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment