Skip to content

Instantly share code, notes, and snippets.

@plembo

plembo/DisableMFAForAADUser.md

Last active April 16, 2024 12:17
Show Gist options
  • Star 9 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save plembo/c4c45499d29052d533e87e9d8b151a13 to your computer and use it in GitHub Desktop.
Save plembo/c4c45499d29052d533e87e9d8b151a13 to your computer and use it in GitHub Desktop.
Download ZIP
Disable MFA for an individual Azure AD User
Raw
DisableMFAForAADUser.md

Disabling MFA for an Azure AD User

Azure AD MFA is not enabled by default for AAD and Microsoft 365 users, but it will be if during setup an admin chooses to Enable Security Defaults on Azure AD (as most will when prompted to do so: after all, who in their right mind wouldn't require MFA?).

However, there are situations where being able to toggle MFA on or off for a particular user can be useful. For example, in a development or test tenant when working with sample code from Microsoft that doesn't account for MFA (like a simple Microsoft Graph console app). This procedure involves disabling Security Defaults on AAD.

There may be licensing/billing issues with doing this. As of this writing Security Defaults are the official way to enable MFA without a costly Premium (P1 or P2) AAD subscription. My current learning environment uses a "free" developer sandbox (courtesy of the Microsoft 365 Developer Program) which comes with AAD P2, so YMMV.

Here are the steps:

  1. Go to the AAD Admin Center. Drill down to Azure Active Directory... Manage... Properties... Manage Security defaults and select No to "Enable Security Defaults", then Save.

  2. Next, go to Azure Active Directory... Manage... Users... Click on the elipsis (...) and then the Multi-Factor Authentication link (if the link is greyed-out, Security Defaults are still enabled).

  3. The link will jump you out to a "multi-factor authentication" page. There select a user or users and then click on Disable under "quick steps" if MFA is currently Enabled for them. Answer Yes to confirm. To re-enable MFA for that user, select them again and click Enable. Note you may have to go through MFA setup for that user after enabling.

NOTES:

  1. The styling of the "multi-factor authentication" page is just cheesy enough for me to think it is a temporary quick-fix and will probably be replaced at some point in the future.

  2. I personally recommend always using Microsoft's Security Defaults unless special circumstances exist, and then only so long as necessary. MFA has proved itself as one of the most effective means of foiling system incursions, and anyone who fails to deploy it wherever they can is a fool.

Resources:

Azure Active Directory security defaults

Enable per-user Multi-Factor Authentication

@bitroniq
Copy link

I had the same issue.

Suddenly all users started getting

your organization needs more information to keep your account secure

No way to bypass this.

What helped me was:

  1. image
  2. image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment