How to disabled MFA on my Global Admin

john paul centeno 0 Reputation points
2023-12-24T09:35:52.1366667+00:00

Hi Microsoft,

I hope this email finds you well.

Please help us disabled the MFA enabled on my Global Admin account due to locked me out with my own GLOBAL ADMIN, i am the admin person to perform those configuration of my tenant, but unfortunately due to neglection i did not setup the security of my Global Admin and it set my account Global Admin into default MFA enabled that i do not have access.

Thank you

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Authenticator
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Andreas Baumgarten 123.5K Reputation points MVP Volunteer Moderator
    2023-12-24T10:00:02.71+00:00

    Hi @john paul centeno ,

    to disable MFA per user you can do this in the Azure Portal: Change the status for a user

    a second option is the exclude the user from the conditional access policy: Conditional Access: Users, groups, and workload identities


    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards

    Andreas Baumgarten

    0 comments No comments

  2. Thameur-BOURBITA 36,261 Reputation points Moderator
    2023-12-24T10:57:22.09+00:00

    Hi @john paul centeno

    It's recommended to exclude at least two account (emergency account or/and Break-Glass) , to prevent lock all your tenant.
    Some other accounts need to be excluded as mentioned in the following linkUser exclusion in Entra ID

    By default Microsoft create a conditional access to enable MFA on admin accounts and activate it after 90 days of creation : Common Conditional Access policy: Require multifactor authentication for admins accessing Microsoft admin portals

    In your case you can edit this Conditional Access and exclude your account:

    • Open this URL https://entra.microsoft.com/ with a global admin account
    • Go to Protection then Conditional access
    • Click on Policy
    • Click Multifactor authentication for admins accessing Microsoft Admin Portals policy
    • Go to Eclude identities and add you account
    • User's image

    Please don't forget to accept helpful answer

    0 comments No comments

  3. Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator
    2023-12-26T04:05:16.1466667+00:00

    @john paul centeno

    Thank you for posting this in Microsoft Q&A.

    In this situation, if you are the only global admin on the account and are blocked entirely, you can reach out to our support team. You can look into below article to get support numbers depending on your country.

    https://support.microsoft.com/en-us/topic/global-customer-service-phone-numbers-c0389ade-5640-e588-8b0e-28de8afeb3f2

    or creating a ticket through a different account:  https://learn.microsoft.com/en-us/microsoft-365/admin/get-help-support?view=o365-worldwide#phone-support

    Create a ticket with Microsoft support team. Give them the tenant ID which is locked out in your description. Tell them that no admin account has access anymore and your partners also have no access anymore. 

    Once you create a ticket with support team you will have to work with our data protection team. You will have to first prove your identity against your tenant for security purpose. Post that this team will help you with help you in getting access to your tenant or unlock your account depending on your scenario.

    Also, for the future, you can create an emergency access account (break glass) in Azure AD. This account will help prevent being accidentally locked out of your Azure Active Directory (Azure AD) organization because you can't sign in for any reason.

    https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

     

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.