How to create different types of service accounts properly with no MFA?

Sage Mirror 220 Reputation points


I would like to remove both MFA and Self-password reset (to remove the MFA registration requirement) to some accounts that are used as "service accounts".

For instance, some of them are just shared mailboxes, some are meeting rooms accounts, and others are for enrollment in autopilot (used to connect for the autopilot hash to be sent to Intune).

However, I can't exclude them from the Self-password reset because there is no "exclude group" function in it, and it's a dynamic group which is included, and add a rule to not include members from another group is not doable from what I could read.

I thought about adding a specific attribute to exclude with the dynamic rules in the account properties, but I am not sure if this is the best way to do it.

Could you provide me with some info about how to create and manage those kind of accounts properly please?

Thank you.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,094 questions
0 comments No comments
{count} votes

Accepted answer
  1. Akhilesh 6,270 Reputation points Microsoft Vendor

    Hi @Sage Mirror

    Thank you for reaching us!
    For your query I understand that you are looking to remove MFA and self-password reset for some accounts that are used as "service accounts and you are unable to exclude group in Self-password reset.

    I understand your concern, that you want to exclude only a few accounts from the Self-Service Password Reset (SSPR) feature, but currently, the feature only allows you to include groups, not exclude them.
    Appreciate if you could share the feedback on our feedback recovery of access review via is closely monitored by our product team.
    However, as a work around you can consider using Conditional Access policies or custom attributes. you can create a Conditional Access policy that requires SSPR for all users, then create another policy that excludes the specific accounts from SSPR.

    Also, you could use custom attributes in Azure AD to flag the accounts you want to exclude, then use dynamic group membership rules to automatically include all accounts without this flag in the SSPR group.

    I hope this answer helps! If you have any further questions, please feel free to ask.



    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful