Multi-Factor Authentication (MFA) in Microsoft 365 (ex. Office 365) is an authentication method that requires more than one factor to be used to authenticate a user. MFA provides additional security when performing user authentication. In this article, we’ll take a look at how to disable MFA in Microsoft 365 for multiple users or a single one.
MFA in Microsoft 365 is based on the Azure Multi-Factor Authentication service. In addition to the password, Microsoft 365 users are encouraged to use one (or several) of the following MFA verification methods:
- Confirmation with a one-time password via SMS message;
- Confirmation of one-time password by a phone call;
- Using the Microsoft Authenticator mobile app (available in Google Play for Android and App Store for iOS devices). In the Microsoft Authenticator app, you can use a one-time password (6 digits) for sign-in confirmation.
Important. Microsoft recommends that you always use MFA to protect user accounts from phishing attacks and compromised passwords.
MFA is currently enabled by default for all new Azure tenants. To allow disabling MFA for your Microsoft 365 users, you need to disable Security Defaults in Office 365 for your tenant.
Note. Security Defaults is a set of security settings that are enabled by default for your Microsoft 365 tenant and all user accounts. One of the enabled Azure Security Defaults options is that each user and administrator must be sure to configure Multi-Factor Authentication on first sign-in (a request to configure MFA appears on each user sign-in).
To disable Security Defaults in Azure:
- Go to the Azure Portal https://portal.azure.com and sign in with the global admin account for your tenant;
- Go to Azure Active Directory > Properties > click Manage Security Defaults link;
- A switch will appear Enable security defaults (Yes/No);
- Change its value to No and specify one of the reasons why you are disabling this security mechanism.
- After that, users will no longer be reminded every time about setting Multi-Factor Authentication when logging in.
Now you can disable MFA for a user through the Microsoft 365 Admin Center web interface or by using PowerShell.
Disable MFA Through the Microsoft 365 Admin Center Portal
- Go to Microsoft 365 Admin Center (https://admin.microsoft.com/) and sign in under an account with tenant Global administrator permissions;
- Go to Users > Active Users;
- Click on Multi-factor authentication;
- A page will appear with a list of users in your Microsoft 365 tenant and the MFA status for each of them (this window doesn’t show if the user has completed the MFA process and it doesn’t indicate which MFA authorization option the user enabled);
- To disable MFA for a user, click on it;
- Several buttons will appear in the right column (Quick Steps) which allow you to enable, disable MFA, or configure user settings;
- Click on Disable and confirm to disable MFA for the user.
On the Service Settings tab, you can configure additional MFA options.
Here you can:
- Add a list of trusted IP subnets, which users don’t need to use MFA;
- Enable/disable certain MFA methods;
- Allow enabling users to remember multi-factor authentication on devices they trust (between one to 365 days).
How to Disable MFA in Microsoft 365 with PowerShell?
You can enable or disable MFA for a Microsoft 365 (Office 365) user using PowerShell. To accomplish this task, you need to use the MSOnline PowerShell module.
Check if the MSOnline module is installed on your computer:
Get-Module -Name MSOnline
If the module is missing, install it:
Install-Module MSOnline
Connect to your Microsoft 365 tenant:
$MSOCred = Get-Credential Connect-MsolService -Credential $MSOCred
Hint. The Get-MsolUser cmdlet is used in the MSOnline module to get the user account details.
To check if MFA is enabled or disabled for a specific user, run the commands:
$user=Get-MsolUser –UserPrincipalName PattiF@theitbros.onmicrosoft.com $user| select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}}
In this example, MFA is enabled for the user through the Microsoft Authenticator mobile app (PhoneAppNotification).
Hint. One of four MFA methods can be enabled for the user:
-
PhoneAppOTP
-
PhoneAppNotification
-
OneWaySMS
-
TwoWayVoiceMobile
To display the MFA status for all Microsoft 365 tenant users, run:
$users= Get-MsolUser -all $users| select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}}|Format-Table
This PowerShell script returns MFA status=Disabled if the user is not configured/or MFA is disabled. If MFA is enabled, this field indicates which authentication method is configured for the user.
To disable MFA for a specific user, run the command:
Get-MsolUser -UserPrincipalName PattiF@theitbros.onmicrosoft.com| Set-MsolUser -StrongAuthenticationRequirements @()
In order to disable MFA for all Microsoft 365 user accounts:
Get-MsolUser -All | Set-MsolUser -StrongAuthenticationRequirements @()
In this article, we assume that you manage MFA on a per-user basis (per-user MFA), and not using Azure Conditional Access. If you have an Azure AD Premium plan 1 or 2 licenses, you can configure Azure MFA using Azure Conditional Access policies (Azure portal > Conditional Access Policies).
Here you can create and configure advanced security policies with MFA. For example, you can enforce MFA for the Global Administrators, or disable MFA for a specific account (which are used in legacy applications which do not support MFA).
1 comment
Where is trusted IPs.
What “Service Settings” tab.
Please explain path to configurations better.