Is that possible to temporarily disable the MFA requirement for accessing the Security Info section of myaccount.microsoft.com for all my users?.

Question

Is that possible to temporarily disable the MFA requirement for accessing the Security Info section of myaccount.microsoft.com for all my users?.

Woody Chiu at RASI 226

Hi there,

Is that possible to temporarily disable the MFA requirement specifically for accessing the "Security Info" section of myaccount.microsoft.com for all my store managers?

The reason why I want to do that is that I want to access the "Security Info" sections to register all their individual security keys (YubiKey) on their behalf so that the store managers who have little computer literacy don't need to do that.

I think I figured out how to tweak the existing Conditional Policies I have to bypass MFA. However, it appears that MFA is still being prompted as soon as I try to access the "Security Info" section for any users if those users already have had at least one MFA method registered on their Security Info in myaccount.microsoft.com portal.

Without being able to temporarily bypass the MFA requirements for the "Security Info" sections, I will need to get each of the 142 store managers on the phone with me to approve my sign-in while I register their security keys. That's a pain in the ass!

Hope you can do the magic for me!

Very much appreciated!

Woody

5 answers

Your answer

Answer 1

Konstantinos Passadis 19,596 MVP

Hello @Woody Chiu at RASI !

Is the MFA applied from a Conditional Access ?

If so :

Go to the Azure portal and navigate to Azure Active Directory > Conditional Access.

Click on the "New policy" button to create a new policy.

Give the policy a name and description that indicates it's for exempting store managers from MFA for a specific period of time.

Under "Users and groups," select the store managers you want to exempt from MFA.

Under "Cloud apps or actions," select "All cloud apps."

Under "Conditions," select "Device platforms" and choose the platform(s) that the store managers will use to access myaccount.microsoft.com.

Under "Access controls," select "Grant" and choose "Grant access without requiring multi-factor authentication."

Under "Enforcement," select "On" and set the duration of the exemption period.

Click on the "Create" button to create the policy.

Otherwise and if you have Azure Free plan , only way to d that on Organizaional Level (NOt recommended)

One option would be to use Azure Active Directory (Azure AD) self-service password reset (SSPR) to register the YubiKeys for your store managers. With Azure AD SSPR, users can reset their passwords or unlock their accounts themselves, which can include registering and managing their own MFA methods, such as YubiKeys.

You can configure SSPR policies to allow users to register and manage their own MFA methods, or you can perform bulk registration of YubiKeys for your store managers using PowerShell or other automation tools. This would eliminate the need for you to have to go through each store manager individually and would still ensure that MFA requirements are in place for all accounts.

Alternatively, you may want to consider providing some basic computer literacy training to your store managers, so that they can register their own YubiKeys or other MFA methods. This may be more time-consuming initially but would be a better long-term solution for ensuring the security of your accounts.

The answer or portions of it may have been assisted by AI Source: ChatGPT Subscription

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards

Woody Chiu at RASI 226 Reputation points

2023-05-06T19:59:20.9933333+00:00

I tried to follow through with your first option to create a CAP which I already have a similar CAP setup prior. The only thing I notice differently is the last step you mentioned turning on the Enforcement. However, I could not even find the "Enforcement" section at all. Please see the attached image on the settings for "Grant".

Where is the "Enforcement"? I cannot find it!

My prior similar CAP didn't get to work and that had no "Enforcement" defined compared to your suggested configurations. I thought that would be it but I cannot even find the "Enforcement" section under "Grant". I hope it's I missed it only. Please advise where to find it.

Regarding SSPR, I don't want to try that for now as we have not even enabled SSPR for users anyway for security concerns.

One thing I want to point out is that we have already enabled Windows Hello for Business for All Users. With that turned on, would that affects how I can temporarily disable MFA for accessing "Security Info" on myaccount.microsoft.com portals for all users?

The second I want to point out is that I already successfully bypassed all the MFA layers of protection by tweaking my existing CAPs. In spite of those successful bypasses, I still got prompted to provide Authenticator App approval while trying to get into the "Security Info" section on myaccount.microsoft.com portal for all users.

Is there really a way to enforce a CAP to bypass the MFA required to access "Security Info" at all? I really hope there is a way.

Please advise again!

Woody
Woody Chiu at RASI 226 Reputation points

2023-05-06T20:20:43.92+00:00

Supplementary to my previous comment, I found this diagnostic in my Sign-in log.

Hope that provides you with more insights about my issue.

Thanks,

Woody
Konstantinos Passadis 19,596 Reputation points MVP

2023-05-06T20:28:19.46+00:00

It means Enable Policy !

Please check Security Defaults Is it Enabled ? Mostly i think this is the problem !

Carefully there , if you decide to disable , make sure the CA Policy is working for all other users and excempt the Group of users , or users you want .

If you need help send feedback !

Also Per User MFA , is it Enforced for all Users ?

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards
Woody Chiu at RASI 226 Reputation points

2023-05-06T21:02:44.8833333+00:00

The image above is captured from my tenant in Azure. Does it mean Security defaults are on in our tenant in Azure? That switch looks like is for Access management, not Security defaults. It seems I cannot see the hyperlink "Manage security defaults" that is on your image. Is that possible as I am in a "Global Admin" role already?

Also, what would be the custom CAPs I should have in place to protect my tenant while I disable the "Security defaults" to test if I can access the "Security Info" section without being asked for MFA? Do you think you can list those necessary CAPs out here? I will make sure I have those CAPs set up prior to disabling Security defaults. Don't want to risk the security of our entire tenant!

Thanks,

Woody

Answer 2

Konstantinos Passadis 19,596 MVP

Hello @Woody Chiu at RASI !

For Enforced it means Enabled ( Report Only , On , Off) but i see the issue and i thik i know where it comes from !

Check Security Defaults and Per User MFA

I think the Deafults is the problem

Careful when disabling them , just verify MFA is active with a CA Policy excempting those Users!

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

User's image

Woody Chiu at RASI 226 Reputation points

2023-05-06T21:43:16.15+00:00

The image above is captured from my tenant in Azure. Does it mean Security defaults are on in our tenant in Azure? That switch looks like is for Access management, not Security defaults. It seems I cannot see the hyperlink "Manage security defaults" that is on your image. Is that possible as I am in a "Global Admin" role already?

Also, what would be the custom CAPs I should have in place to protect my tenant while I disable the "Security defaults" to test if I can access the "Security Info" section without being asked for MFA? Do you think you can list those necessary CAPs out here? I will make sure I have those CAPs set up prior to disabling Security defaults. Don't want to risk the security of our entire tenant!

Thanks,

Woody
Woody Chiu at RASI 226 Reputation points

2023-05-06T21:50:22.62+00:00

Supplementary to my previous comment, I think I missed the last line of the screen capture. I think that line says our Security defaults are Off because we have CAPs in place. So, what else can be preventing me from disabling the MFA enforcement when accessing the "Security Info" of all users?

Thanks!
Woody Chiu at RASI 226 Reputation points

2023-05-06T22:50:36.52+00:00

Supplementary to my previous comments, FYI, I also see this extra explanation inside the Diagnostic results of my User Sign-in logs. Please see the following.

Answer 3

Konstantinos Passadis 19,596 MVP

Hello @Woody Chiu at RASI !

We can have the easy way to solve this!

So go to CA Policies and see the What If . This is a what happens if this ... so try to enter info that the x user is logging into the x app , and see which policies are in effect , see my screenshot

THis way you can rule out and narrow the specific CA that affects the users , also check as i said the Per User MFA in my previous answer in case thee are enforced already !

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards

User's image

Woody Chiu at RASI 226 Reputation points

2023-05-07T16:14:35.0466667+00:00

This is the sign-in log of the tester account. Notice that the last incidence of the last attempt yesterday trying to get into the "Security Info" section. It shows that it was a multifactor authentication and get interrupted because I didn't respond to the MFA approval request.

The above shows the last incidence is "Authentication in progress" which is awaiting the MFA approval with no response, and that turned out to fail.

Conditional Access details show access is granted successfully without MFA requirement as the user account, machine type, and location matched.

Apparently, the logs show sign-in access was granted but it failed at the end to access My-SignIn App which refers to the "Security Info" section due to MFA.

So, it looks like the "Security Info" section by itself enforce MFA which does not originate from any existing CAPs.

Am I correct? If that's true, do I still have any other options to disable it?

Thanks,

Woody

Answer 4

Konstantinos Passadis 19,596 MVP

Hello @Woody Chiu at RASI !

Yes there are ways

Please go to the WHAT IF , to check what is affecting the Log on process for specific users you will get clear image and then you can exclude users from the Affecting Policy

Please go to Per User MFA i showed twice to check the Status there , it could be Enforced thtas why MFA insists on appearing !

Kinldy check these options , it is mandatory for us who do not have clear view to help !

ALSO from 365 Portal , all possible MFA Setups ( The Legacy is the PER User) :

User's image

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards

Woody Chiu at RASI 226 Reputation points

2023-05-07T17:55:17.8433333+00:00

I just temporarily turned off all CAPs.

I also checked per-user MFA for the tester account. That is disabled.

Still, the "Security Info" section asks for MFA approval!

Any idea?

Answer 5

Konstantinos Passadis 19,596 MVP

Hello @Woody Chiu at RASI !

Ok now we know this info , great

Go to Identity Protection and check the configuration there !

User's image

If nothing is prompting MFA i suggest :

Go to Security Info , and verify that there is correct info on the methods used

Update if needed and configure MS Authenticator and SMS only for a Test user

Sign out from everywhere ( Important !) and re try

Kindly post feedback !

Kindly mark the answer as Accepted and Upvote in case it helped or post your feedback to help !

Regards

Konstantinos Passadis 19,596 Reputation points MVP

2023-05-07T18:27:31.3533333+00:00

I am concerned that there is a chance that these users have not completed the Registration procedure or the MFA methods are not correctly entered or completed.

Does this happens to everyone on the Tenant ?

Regards
Woody Chiu at RASI 226 Reputation points

2023-05-08T00:21:02.98+00:00
Woody Chiu at RASI 226 Reputation points

2023-05-08T00:33:55.7933333+00:00

Reply to your previous question. Yes, I know this is the same situation for everyone when they trying to access the "Security Info" section of their myaccount.microsoft.com portal.

I also remember I am pretty sure I read an article that mentioned the setup this way is by design because "Security Info" contains highly sensitive configurations and registration info for MFA for each account. That MFA requirement doesn't look like is controlled by any Conditional Policies. It looks like to me that is hard-coded.

I was trying to verify with Microsoft or you if there is any way that can be temporarily turned off or not particular in my situation of having security key rollouts!

Woody
Konstantinos Passadis 19,596 Reputation points MVP

2023-05-08T15:28:49.0833333+00:00

Hello @Woody Chiu at RASI !

Yes i see! At this point i have tested mine and everyone can access the Security Info without MFA

So i suggest a quick ticket to get answers on the why ! What does the Azyre log says when you get the access on the page ? particullarly on the authentication

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards
Woody Chiu at RASI 226 Reputation points

2023-05-11T15:25:06.1266667+00:00

Hi @Konstantinos Passadis ,

Just wondering if you guys have enabled passwordless signin? I meant Windows Hello for Business Cloud Trust. Would that make any difference?

Thanks,

Woody

Share via

Is that possible to temporarily disable the MFA requirement for accessing the Security Info section of myaccount.microsoft.com for all my users?.

5 answers

Your answer