Cannot disable MFA on one user after migrating to Azure authentication

Question

I’ve been looking into migrating away from legacy MFA and SSPR as described here: https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-authentication-methods-manage

We are currently using legacy MFA to enable 2 factor auth on user accounts. I cannot enable Security Defaults in Azure AD to enable MFA company wide - there are a few accounts that cannot have MFA enabled as users work in a secure location w/o phone access. We also have a few service accounts that send out emails automatically and can’t have MFA requirements on those automated emails. So we manually went into legacy MFA and enabled it on each account that required it.

Looking into the migration to Azure authentication methods, I can’t find any ability to disable MFA for individual users after migrating to the new Azure authentication methods policy. Seems like on the Azure AD free license, we will be allowed to turn on Security Defaults to enable MFA company wide, or not have MFA at all.

The only means I can find to disable MFA on a few accounts after migrating to the Azure authentication methods policy is through conditional access policies, which require an Azure AD P1 license.

So my question is: After migrating to Azure authentication methods, is there any way to disable MFA on a few accounts, other than using conditional access policies? We’d like to stay on the Azure AD free license, but still have the ability to disable MFA on a few accounts.

Thanks.

Answer 1

I havent seen anything to indicate per user MFA is going away, just the methods are being migrated:

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates