How to Disable Multi Factor Authentication (MFA) in Office 365?

Multi-Factor Authentication (MFA) in Microsoft 365 (ex. Office 365) is an authentication method that requires more than one factor to be used to authenticate a user. MFA provides additional security when performing user authentication. In this article, we’ll take a look at how to disable MFA in Microsoft 365 for multiple users or a single one.

MFA in Microsoft 365 is based on the Azure Multi-Factor Authentication service. In addition to the password, Microsoft 365 users are encouraged to use one (or several) of the following MFA verification methods:

  • Confirmation with a one-time password via SMS message;
  • Confirmation of one-time password by a phone call;
  • Using the Microsoft Authenticator mobile app (available in Google Play for Android and App Store for iOS devices). In the Microsoft Authenticator app, you can use a one-time password (6 digits) for sign-in confirmation.

Important. Microsoft recommends that you always use MFA to protect user accounts from phishing attacks and compromised passwords.

MFA is currently enabled by default for all new Azure tenants. To allow disabling MFA for your Microsoft 365 users, you need to disable the Microsoft 365 Security Defaults for your tenant.

Note. Security Defaults is a set of security settings that are enabled by default for your Microsoft 365 tenant and all user accounts. One of the enabled Azure Security Defaults options is that each user and administrator must be sure to configure Multi-Factor Authentication on first sign-in (a request to configure MFA appears on each user sign-in).

To disable Security Defaults in Azure:

ADVERTISEMENT
  1. Go to the Azure Portal https://portal.azure.com and sign in with the global admin account for your tenant;
  2. Go to Azure Active Directory > Properties > click Manage Security Defaults link;
  3. A switch will appear Enable security defaults (Yes/No);
  4. Change its value to No and specify one of the reasons why you are disabling this security mechanism.
    disable mfa office 365
  5. After that, users will no longer be reminded every time about setting Multi-Factor Authentication when logging in.

Now you can disable MFA for a user through the Microsoft 365 Admin Center web interface or by using PowerShell.

Disable MFA Through the Microsoft 365 Admin Center Portal

  1. Go to Microsoft 365 Admin Center (https://admin.microsoft.com/) and sign in under an account with tenant Global administrator permissions;
  2. Go to Users > Active Users;
  3. Click on Multi-factor authentication;
    office 365 disable mfa
  4. A page will appear with a list of users in your Microsoft 365 tenant and the MFA status for each of them (this window doesn’t show if the user has completed the MFA process and it doesn’t indicate which MFA authorization option the user enabled);
  5. To disable MFA for a user, click on it;
    disable 2fa office 365
  6. Several buttons will appear in the right column (Quick Steps) which allow you to enable, disable MFA, or configure user settings;
  7. Click on Disable and confirm to disable MFA for the user.
    turn off mfa office 365

On the Service Settings tab, you can configure additional MFA options.

office 365 disable 2fa

Here you can:

  • Add a list of trusted IP subnets, which users don’t need to use MFA;
  • Enable/disable certain MFA methods;
  • Allow enabling users to remember multi-factor authentication on devices they trust (between one to 365 days).

how to disable mfa in office 365

How to Disable MFA in Microsoft 365 with PowerShell?

You can enable or disable MFA for a Microsoft 365 (Office 365) user using PowerShell. To accomplish this task, you need to use the MSOnline PowerShell module.

Check if the MSOnline module is installed on your computer:

Get-Module -Name MSOnline

remove mfa office 365

If the module is missing, install it:

Install-Module MSOnline

Connect to your Microsoft 365 tenant:

$MSOCred = Get-Credential

Connect-MsolService -Credential $MSOCred

Hint. The Get-MsolUser cmdlet is used in the MSOnline module to get the user account details.

To check if MFA is enabled or disabled for a specific user, run the commands:

ADVERTISEMENT
$user=Get-MsolUser –UserPrincipalName PattiF@theitbros.onmicrosoft.com

$user| select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}}

disable multi factor authentication office 365

In this example, MFA is enabled for the user through the Microsoft Authenticator mobile app (PhoneAppNotification).

Hint. One of four MFA methods can be enabled for the user:

  • PhoneAppOTP

  • PhoneAppNotification

  • OneWaySMS

  • TwoWayVoiceMobile

To display the MFA status for all Microsoft 365 tenant users, run:

$users= Get-MsolUser -all

$users| select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}}|Format-Table

This PowerShell script returns MFA status=Disabled if the user is not configured/or MFA is disabled. If MFA is enabled, this field indicates which authentication method is configured for the user.

office 365 disable two factor authentication

To disable MFA for a specific user, run the command:

Get-MsolUser -UserPrincipalName PattiF@theitbros.onmicrosoft.com| Set-MsolUser -StrongAuthenticationRequirements @()

In order to disable MFA for all Microsoft 365 user accounts:

ADVERTISEMENT
Get-MsolUser -All | Set-MsolUser -StrongAuthenticationRequirements @()

In this article, we assume that you manage MFA on a per-user basis (per-user MFA), and not using Azure Conditional Access. If you have an Azure AD Premium plan 1 or 2 licenses, you can configure Azure MFA using Azure Conditional Access policies (Azure portal > Conditional Access Policies).

disable two factor authentication office 365

Here you can create and configure advanced security policies with MFA. For example, you can enforce MFA for the Global Administrators, or disable MFA for a specific account (which are used in legacy applications which do not support MFA).

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Latest posts by Cyril Kardashevsky (see all)

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.