Wednesday, 12 Jun 2024
Technology

How to Disable Multi-Factor Authentication (MFA) in Office 365?

Multi-factor authentication (MFA) in Microsoft 365 is a valuable security measure that provides an additional layer of protection for user accounts. However, there are certain scenarios where disabling MFA may be necessary. In this article, we will explore different methods to disable MFA in Office 365.

Disable Azure AD Security Defaults

If your Microsoft 365 tenant has enabled Security Defaults, you won’t be able to disable MFA for anyone. Follow these steps to disable Security Defaults:

  1. Log in to the Microsoft Entra admin center.
  2. Navigate to Identity → Overview → Properties.
  3. Scroll down and click the “Manage security defaults” link.
  4. On the fly-out page, select “Disabled”, choose a reason for disabling the Security Defaults, and click “Save”.
  5. When prompted, click “Disable” to confirm.

Per-User MFA

Before the introduction of Security Defaults and Conditional Access, per-user MFA was the primary method of implementation. Here are two ways to disable per-user MFA:

Disable using the Per-User MFA Portal

  1. Access the Microsoft Entra admin center.
  2. Click Users → All users → Per-user MFA.
  3. Select one or more users with the status “Enabled” or “Enforced” and click the “Disable” link.
  4. Confirm the action by clicking “Yes”.
  5. Click “Close” after the MFA status update is finished.
  6. Repeat the same steps to disable MFA for other users as needed.
Tham Khảo Thêm:  Resetting Your Mac Login Password

Disable by Adding Trusted IP Address Subnets

  1. Click “service settings”.
  2. Under “trusted IPs”, check the “Skip multi-factor authentication for requests from federated users on my intranet” box.
  3. Enter each trusted IP address subnet (CIDR) in the box – one entry per line.
  4. Scroll to the bottom and click “save”.
  5. Click “Close” once the settings update is finished.

Disable using the MSOnline PowerShell

PowerShell can be used to disable per-user MFA in bulk:

  1. Install the MSOnline module in Windows PowerShell: Install-Module MSOnline.
  2. Connect to Azure AD PowerShell by running this command: Connect-MsolService.
  3. Authenticate with your credentials when prompted.
  4. Use the command below to list users with MFA enabled:
    $perUserMFA = Get-MsolUser -All | Where-Object { $_.UserType -eq 'Member' -and $_.StrongAuthenticationRequirements.State } | Select-Object DisplayName, UserPrincipalName, @{N = "MFA State"; E = { $_.StrongAuthenticationRequirements.State } }, @{N = "Default MFA Method"; E = { if ($mfaType = ($_.StrongAuthenticationMethods | Where-Object { $_.IsDefault }).MethodType) { $mfaType } else { 'None' } } } | Sort-Object DisplayName
    $perUserMFA
  5. To disable MFA for an individual user, use the command: Set-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements @().
  6. To disable the per-user MFA status for all users, run this command: Get-MsolUser -All | Set-MsolUser -StrongAuthenticationRequirements @().

Conditional Access Policy

Conditional Access Policies allow for more granular control over MFA usage. To create a Conditional Access Policy:

  1. Navigate to Identity → Protection → Conditional Access in the Microsoft Entra admin center.
  2. Click “Policies → New policy from template”.
  3. Select the “Require multifactor authentication for all users” template and click “Review + create”.
  4. Set the “Policy state” to “Report only” and click “Create”.
  5. Add exclusions by clicking “Users → Exclude → Select excluded users and groups”.
  6. Enable the policy by selecting “On” and click “Save”.
Tham Khảo Thêm:  Eyes and Teeth Alignment Issues on 3D Models

Frequently Asked Questions

Q: Can I disable MFA for specific groups of users?
Yes, by creating a Conditional Access Policy and adding exclusions.

Q: What risks should I consider when disabling MFA?
Disabling MFA should be carefully planned to avoid potential security risks. Users should be educated about alternative security measures.

Conclusion

Disabling MFA in Office 365 accounts requires careful consideration and execution to maintain security. While per-user MFA configuration is still available, it is recommended to implement MFA-related settings using Conditional Access Policies whenever possible. For more information, visit Eireview.