How to disable MFA for all non-admin users

Question

How to disable MFA for all non-admin users

Jamison Hill 5

I manage an org that has many shared user accounts due to our many volunteers. For example, our Facilities team volunteers all login to M365 using the same ******@mydomain.com user. I do not want these users to be required to use multifactor authentication, or to even be able to turn it on. How can I selectively disable MFA for these user accounts that our many volunteers utilize? I don't mind if the rest of the org (our paid staff) have to use MFA, but these few volunteer accounts need to remain only protected by a password that I randomize every few months. Thanks,

Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-02-26T04:18:32.3266667+00:00

Hi @Jamison Hill
Just checking in to see if the below answer provided by @Wilkin Sanchez
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-02-28T04:08:59.79+00:00

Hi @Jamison Hill Just checking in to see if the below answer provided by @Wilkin Sanchez
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Jamison Hill 5 Reputation points

2024-02-28T14:00:48.55+00:00

Hi @Akhilesh This response did not solve my problem and I have left details in a new comment in hopes of getting an additional response from @Wilkin Sanchez or anyone else. Thanks.

2 answers

Your answer

Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-02-26T04:18:32.3266667+00:00

Hi @Jamison Hill
Just checking in to see if the below answer provided by @Wilkin Sanchez
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-02-28T04:08:59.79+00:00

Hi @Jamison Hill Just checking in to see if the below answer provided by @Wilkin Sanchez
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Jamison Hill 5 Reputation points

2024-02-28T14:00:48.55+00:00

Hi @Akhilesh This response did not solve my problem and I have left details in a new comment in hopes of getting an additional response from @Wilkin Sanchez or anyone else. Thanks.

Answer 1

Hello Jamison,

Keep in mind that disabling MFA for a user account can reduce the security posture of your organization. Do you currently have a Conditional Access policy for the entire org that enables MFA? If not, you can do the following

Create a security group for exclusion. You can call it "MFA Excluded users" for example.
Configure Conditional Access Policy:
1. Navigate to the Azure Active Directory admin center.
2. Go to Security > Conditional Access.
3. Select New policy.
4. Name your policy (e.g., "Disable MFA for Volunteers").
5. Under Assignments, select Users and Groups. Then, under Include, select All users. Under Exclude, choose the group "MFA Excluded Users" you created for shared accounts.
6. Under Cloud apps or actions, you can select All Cloud apps or specify only Microsoft 365 apps as required.
7. In the Conditions section, you can leave the default settings or adjust them as needed for your organization.
8. Under Grant, select Grant access and ensure that Require multi-factor authentication is unchecked.
9. Enable the policy by setting Enable policy to On.
10. Click Create to apply the policy.

Notes: Make sure you have a break-glass account when enabling MFA. Also, you should look into Guest accounts as an alternative to this issue.

Let me know if that helps.

Jamison Hill 5 Reputation points

2024-02-27T17:06:15.6633333+00:00

Hi @Wilkin Sanchez
Thanks for the help. In step "h", I am unable to leave all options blank, (and I'm not sure I want to turn on any of the other options for my users) because it rejects this with an error "You must configure either the "Grant" or "Session" section." Also I don't have the Azure AD admin center anymore, it's Entra and mostly similar to what you described, but maybe there are limits to what I'm trying to do under this new umbrella.
I'm curious, if the Conditional Access has the option to Include my "MFA Excluded" users, and then under Grant Access there's an option to "Block Access" with MFA as an option, would it be equally effective to just create the policy to include the MFA Excluded group and selectively Block MFA Authentication. The way you wrote the plans for this policy, it seems backwards to how I would have thought to do it because I think that if I'm trying to make an exception for a small group of users that I'd write the policy just for them and not change things for all other users, but I'm sure it's because I don't understand this system well enough.

Answer 2

Akhilesh Vallamkonda 15,320 Microsoft External Staff Moderator

Hi @Jamison Hill

Thank you for posting your query on Q&A.

To answer your questions from Wilkin Sanchez answer, Entra is the new name for Azure Active Directory, so the admin center should be the same and very similar. You can access it by going to Entra admin center and signing in with your admin account.

The error message you are getting is because you need to specify at least one grant control or session control for your policy.

Grant controls are the actions that users must take to access the resource, such as MFA, device compliance. Session controls are the restrictions that apply to the user session after they are granted access, such as sign-in frequency, app enforced restrictions.

However, you can use the “Block access” option to deny access to the users or groups that you want to exclude from MFA. However, this will also prevent them from accessing any other resources that are protected by the policy, not just MFA.

The other side, since you are already using the Conditional Access policy MFA for all the users, I would suggest to exclude the MFA Users rather than include them. In this way you can apply the policy to all users by default, and only make exceptions for the ones that you want to exempt from MFA.

By using this approach, you can achieve more security and scalable, you don’t have to create separate policies for each group of users that you want to enforce MFA on.

I hope this information helps! please Feel free to ask any questions you may have.

Reference: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies

https://learn.microsoft.com/en-us/entra/identity/conditional-access/plan-conditional-access

Thanks,

Akhilesh.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-03-02T02:09:51.4366667+00:00

Hi @Chrissy Elmer

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2024-03-04T09:07:43.6533333+00:00

Hi @Chrissy Elmer

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Jamison Hill 5 Reputation points

2024-03-04T14:15:18.6966667+00:00

You mentioned "since you are already using the Conditional Access policy MFA for all the users," in your response, but I have not enforced any conditional access policies. Microsoft has just decided to force MFA on us, and it's not even affecting every user; it's a random selection of users across our tenant. I never intended for any of my users to have a requirement of MFA, at this time. I cannot find any place in my administrative tools to turn off what Microsoft has forced on us. If I was ready to roll out MFA to the organization, I would be happy to create a conditional policy that includes everyone, but excludes the MFA Exclude Group and then assign that policy to grant MFA rules, but I'm not trying to make a company-wide change. I'm only trying to ensure that a small group of volunteers who share team logins don't have to text each other MFA codes all day long when they are logging into the team computer at a workstation in the lobby.

The bigger mystery to solve is this: how can I turn off the MFA requirement that is being forced on many of my users that is not a result of a conditional access or any other systematic change that was out of my control? I certainly don't mind if users opt-in for MFA, but I don't want to force my users into it without first exposing them to best practices and creating a quality plan to roll it out, and also having the ability to administratively manage exceptions. I would like MFA policies to be on my timeline, not something forced on my organization by Microsoft.

Share via

How to disable MFA for all non-admin users

2 answers

Your answer