Multi Factor Authentication (MFA) in Microsoft 365 (Office 365) is an authentication method that requires more than one factor to be used to authenticate a user. MFA provides additional security when performing user authentication. In this article, we’ll take a look at how to disable MFA in Microsoft 365 for all users or single one.
MFA in Microsoft 365 is based on the Azure Multi-Factor Authentication service. In addition to the password, Microsoft 365 users are encouraged to use one of the following MFA verification methods:
- Confirmation with one-time password via SMS message;
- Confirmation of one-time password by phone call;
- Using the Microsoft Authenticator mobile app (available in Google Play for Android and in App Store for iOS devices). In the Microsoft Authenticator app, you can use a one-time password (6 digits) for sign-in confirmation.
You can disable MFA for a user through the Microsoft 365 Admin Center web interface or by using PowerShell.
Hint. Microsoft 365 Security Defaults must be disabled for your tenant.
- Go to Microsoft 365 Admin Center (https://admin.microsoft.com/) and sign-in under an account with tenant Global administrator permissions;
- Go to Users > Active Users;
- Click on Multi-factor authentication;
- A page will appear with a list of users in your Microsoft 365 tenant and the MFA status for each of them;
- To disable MFA for a user, click on it;
- Several buttons will appear in the right column (Quick Steps) which allow to enable, disable MFA, or configure user settings;
- Click on Disable and confirm to disable MFA for the user.
On the Service Settings tab, you can configure additional MFA options. Here you can:
- Add a list of trusted IP subnets, which users don’t need to use MFA;
- Enable/disable certain MFA methods.
You can enable or disable MFA for a Microsoft 365 (Office 365) user using PowerShell. To accomplish this task, you need to use the MSOnline PowerShell module.
Check if the MSOnline module is installed on your computer:
Get-Module -Name MSOnline
If the module is missing, install it:
Install-Module MSOnline
Connect to your Microsoft 365 tenant:
$MSOCred = Get-Credential Connect-MsolService -Credential $MSOCred
Hint. The Get-MsolUser cmdlet is used in the MSOnline module to get the user account detail.
To check if MFA is enabled or disabled for a specific user, run the commands:
$user=Get-MsolUser –UserPrincipalName PattiF@theitbros.onmicrosoft.com
$user| select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}}
In this example, MFA is enabled for the user through the Microsoft Authenticator mobile app (PhoneAppNotification).
Hint. One of four MFA methods can be enabled for the user:
PhoneAppOTP
PhoneAppNotification
OneWaySMS
TwoWayVoiceMobile
To display the MFA status for all Microsoft 365 tenant users, run:
$users= Get-MsolUser -all
$users| select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}}|Format-Table
To disable MFA for a specific user, run the command:
Get-MsolUser -UserPrincipalName PattiF@theitbros.onmicrosoft.com| Set-MsolUser -StrongAuthenticationRequirements @()
- Installing Active Directory Users and Computers (ADUC) Snap-in on Windows 11/10 - October 5, 2022
- How to Enable Root Login on Ubuntu? - October 1, 2022
- Fix: StartTLS is Required to Send Email - October 1, 2022
Where is trusted IPs.
What “Service Settings” tab.
Please explain path to configurations better.