It used to be that username and password were the most secure way to authenticate a user to an application or service. In modern applications, it is recommended to use Multi-Factor Authentication (MFA) to provide additional verification method for the authentication process. Azure Active Directory supports single sign-on authentication with a number of verification options: phone call, text message and one-time password, or mobile app notification. In this article, we’ll take a look at how to enable or disable MFA for users in Azure Active Directory.
Hint. In Azure AD, you can manage MFA policies through Azure Conditional Access, available with Azure AD Premium P1 subscription. Azure Conditional Access Policy also allows you to enable mandatory Multi-Factor Authentication for global administrator accounts. For the purposes of this article, we assume you are managing MFA in Azure on a per-user basis and not through Conditional Access.
By default, MFA is enabled in a forced mode for all-new Azure tenants by the Azure Security Defaults. This option requires all users to register for Azure AD Multi-Factor Authentication. Users have 14 days to sign up for Azure AD Multi-Factor Authentication using the Microsoft Authenticator app. After 14 days, the user cannot log in until the registration is complete.
If you want to disable force MFA for your Azure tenant users, you need to disable Secure Defaults:
- Sign in to the Azure Portal and navigate to Azure Active Directory > Properties > Manage Security Defaults;
- Set Enable Security defaults = No;
- Save your changes.
You can now enable or disable the use of MFA per-user basis.
- Go to the Azure AD > Users;
- Click on Per-User MFA link;
- Find and select the user in the new window. Use the buttons in the right quick steps panel to enable or disable MFA for the user;
You can enable or disable MFA for Azure users using the MSOnline PowerShell module.
Install the PowerShell module and connect to your Azure tenant:
Install-Module MSOnline Connect-MsolService
To disable MFA for a single user:
Get-MsolUser -UserPrincipalName "Alex.Brown@theitbros.com" | Set-MsolUser -StrongAuthenticationRequirements @()
If you need to enable MFA for an Azure user, use the following PowerShell script:
$mf_enable= New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement $mf_enable.RelyingParty = "*" $mfa_enable = @($mf_enable) Set-MsolUser -UserPrincipalName "Alex.Brown@theitbros.com" -StrongAuthenticationRequirements $mfa_enable
Hint. You can get MFA status for all Azure AD users using the PowerShell script described in the post Disabling MFA in Microsoft (Office) 365.