Is it Possible to bypass the MFA for an user who select to optout MFA at the time of signup

Santosh Kumar Pandey 20 Reputation points
2023-07-27T05:20:40.0266667+00:00

Hi All -

I have a custom page where an user is allowed to OptIn and OptOut MFA by selecting radio button. Since MFA is enforced at org/tenant level hence it is asking each user to enter MFA. I wanted to know is there are any possibilities we can bypass the MFA for those users who has opted out MFA at the time of Sign Up by using custom policy or Conditional access. We are using Azure Portal.

Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
838 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,578 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,726 questions
{count} votes

Accepted answer
  1. Will 400 Reputation points
    2023-07-27T16:55:54.63+00:00

    You would need to create or modify the conditional access policy for MFA and exempt those users either explicitly (one by one) or via a group (AD or Azure AD) and add your wayward users there.

    I recommend the group option as its easier for IT/security admins to audit without having to explicitly go to the CA policy each time.

    From a cybersecurity perspective, typically you would not want to exclude anyone from MFA but if there's a justified reason approved by your security team, you should tailor the CA policy to exact who, where and what they are.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Will 400 Reputation points
    2023-07-27T05:33:53.69+00:00

    You would need to create or modify the conditional access policy for MFA and exempt those users either explicitly (one by one) or via a group (AD or Azure AD) and add your wayward users there.

    I recommend the group option as its easier for IT/security admins to audit without having to explicitly go to the CA policy each time.

    From a cybersecurity perspective, typically you would not want to exclude anyone from MFA but if there's a justified reason approved by your security team, you should tailor the CA policy to exact who, where and what they are.

    1 person found this answer helpful.
    0 comments No comments