Is that possible to temporarily disable the MFA requirement for accessing the Security Info section of myaccount.microsoft.com for all my users?.

Woody Chiu at RASI 191 Reputation points
2023-05-06T16:13:43.09+00:00

Hi there,

Is that possible to temporarily disable the MFA requirement specifically for accessing the "Security Info" section of myaccount.microsoft.com for all my store managers?

The reason why I want to do that is that I want to access the "Security Info" sections to register all their individual security keys (YubiKey) on their behalf so that the store managers who have little computer literacy don't need to do that.

I think I figured out how to tweak the existing Conditional Policies I have to bypass MFA. However, it appears that MFA is still being prompted as soon as I try to access the "Security Info" section for any users if those users already have had at least one MFA method registered on their Security Info in myaccount.microsoft.com portal.

Without being able to temporarily bypass the MFA requirements for the "Security Info" sections, I will need to get each of the 142 store managers on the phone with me to approve my sign-in while I register their security keys. That's a pain in the ass!

Hope you can do the magic for me!

Very much appreciated!

Woody

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,774 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,585 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,150 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Konstantinos Passadis 17,376 Reputation points MVP
    2023-05-06T17:04:11.1566667+00:00

    Hello @Woody Chiu at RASI !

    Is the MFA applied from a Conditional Access ?

    If so :

    • Go to the Azure portal and navigate to Azure Active Directory > Conditional Access.
      
    • Click on the "New policy" button to create a new policy.
      
    • Give the policy a name and description that indicates it's for exempting store managers from MFA for a specific period of time.
      
    • Under "Users and groups," select the store managers you want to exempt from MFA.
      
    • Under "Cloud apps or actions," select "All cloud apps."
      
    • Under "Conditions," select "Device platforms" and choose the platform(s) that the store managers will use to access myaccount.microsoft.com.
      
    • Under "Access controls," select "Grant" and choose "Grant access without requiring multi-factor authentication."
      
    • Under "Enforcement," select "On" and set the duration of the exemption period.
      
    • Click on the "Create" button to create the policy.
      

    Otherwise and if you have Azure Free plan , only way to d that on Organizaional Level (NOt recommended)

    One option would be to use Azure Active Directory (Azure AD) self-service password reset (SSPR) to register the YubiKeys for your store managers. With Azure AD SSPR, users can reset their passwords or unlock their accounts themselves, which can include registering and managing their own MFA methods, such as YubiKeys.

    You can configure SSPR policies to allow users to register and manage their own MFA methods, or you can perform bulk registration of YubiKeys for your store managers using PowerShell or other automation tools. This would eliminate the need for you to have to go through each store manager individually and would still ensure that MFA requirements are in place for all accounts.

    Alternatively, you may want to consider providing some basic computer literacy training to your store managers, so that they can register their own YubiKeys or other MFA methods. This may be more time-consuming initially but would be a better long-term solution for ensuring the security of your accounts.


    The answer or portions of it may have been assisted by AI Source: ChatGPT Subscription

    Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

    Regards


  2. Konstantinos Passadis 17,376 Reputation points MVP
    2023-05-06T20:33:44.3433333+00:00

    Hello @Woody Chiu at RASI !

    For Enforced it means Enabled ( Report Only , On , Off) but i see the issue and i thik i know where it comes from !

    Check Security Defaults and Per User MFA

    I think the Deafults is the problem

    Careful when disabling them , just verify MFA is active with a CA Policy excempting those Users!

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

    User's image

    User's image


  3. Konstantinos Passadis 17,376 Reputation points MVP
    2023-05-07T15:13:11.5233333+00:00

    Hello @Woody Chiu at RASI !

    We can have the easy way to solve this!

    So go to CA Policies and see the What If . This is a what happens if this ... so try to enter info that the x user is logging into the x app , and see which policies are in effect , see my screenshot

    THis way you can rule out and narrow the specific CA that affects the users , also check as i said the Per User MFA in my previous answer in case thee are enforced already !

    Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

    Regards

    User's image

    User's image


  4. Konstantinos Passadis 17,376 Reputation points MVP
    2023-05-07T16:31:58.5266667+00:00

    Hello @Woody Chiu at RASI !

    Yes there are ways

    Please go to the WHAT IF , to check what is affecting the Log on process for specific users you will get clear image and then you can exclude users from the Affecting Policy

    Please go to Per User MFA i showed twice to check the Status there , it could be Enforced thtas why MFA insists on appearing !

    Kinldy check these options , it is mandatory for us who do not have clear view to help !

    ALSO from 365 Portal , all possible MFA Setups ( The Legacy is the PER User) :

    User's image

    Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

    Regards


  5. Konstantinos Passadis 17,376 Reputation points MVP
    2023-05-07T18:18:43.75+00:00

    Hello @Woody Chiu at RASI !

    Ok now we know this info , great

    Go to Identity Protection and check the configuration there !

    User's image

    If nothing is prompting MFA i suggest :

    Go to Security Info , and verify that there is correct info on the methods used

    Update if needed and configure MS Authenticator and SMS only for a Test user

    Sign out from everywhere ( Important !) and re try

    Kindly post feedback !

    Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

    Regards