Can we disable MFA after password change ?

Question

Can we disable MFA after password change ?

Camille BARBIER 20

I configured MFA for my environment by applying it manually at the user level and via Conditional Access. I also added the IP range to exclude MFA for my company which works. We have not activated SSPR, when a user changes their password, it is on the local AD with sync to Entra ID. We have citrix cloud servers with an EntraID connection. When the user is on the company site, he uses a thin client for Citrix connection without MFA. When the user is outside the company, he has a laptop PC and MFA should be triggered when connecting to the virtual desktop (connecting to Citrix workspace). We have 3 types of second factor authentication: SMS or Authenticator for users with a Professional mobile. And, FIDO keys for users without mobile. Everything works fine except when a user with MFA enabled with a FIDO key changes their password. Teams sometimes displays "your organization needs more information to keep your account secure." And the key is not compatible with Windows Server so it is impossible to open Teams. So we need to temporarily disable MFA, open Teams, and re-enable MFA. Until the next password change... In the user's connection logs, I can see in the conditional policy tab that the "on-premises" policy applies and therefore should not request MFA. But in the "authentication details" tab it is noted MFA required. Is there a way to not be prompted to use multi-factor authentication on Teams after a password change?

Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2024-02-29T19:44:51.4433333+00:00

So, without trying to sound like I don't want answer your question :) Why are you requiring password changes?

Accepted answer

0 additional answers

Your answer

Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2024-02-29T19:44:51.4433333+00:00

So, without trying to sound like I don't want answer your question :) Why are you requiring password changes?

Answer 1

Ran Hou-MSFT 7,585 Microsoft External Staff

Hi @Camille BARBIER

Can we disable MFA after password change ?

Yes, you can follow the steps below:

Sign in to the Microsoft Entra admin center as at least a security administrator, conditional access administrator or global administrator.
Browse to Identity > Overview > Properties.
Select Manage security defaults.
Set Security defaults to Disabled (not recommended).
Select Save.

For more details, you may refer to the article.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Camille BARBIER 20 Reputation points

2024-03-01T09:14:27.1066667+00:00

Hi @Ran Hou-MSFT .

Thank you for your answer and your help.

Here is the message I get in "Security defaults":

I can't disable the default setting because I'm using conditional policies...

And in my strategies I can't find any option that could help me solve this problem.
Ran Hou-MSFT 7,585 Reputation points Microsoft External Staff

2024-03-04T05:47:50.02+00:00
Hi @Camille BARBIER

Do not forget to disable per-user MFA after you have enabled Conditional Access policies. This is important as it will result in inconsistent user experience. If you've previously turned on per-user MFA, you must turn it off before enabling Security defaults. You should also turn off per-user MFA after you've configure your policies and settings in Conditional Access.

In the Microsoft 365 admin center, in the left nav choose Users > Active users.

On the Active users page, choose multifactor authentication.

On the multifactor authentication page, select each user and set their multifactor authentication status to Disabled.
Ran Hou-MSFT 7,585 Reputation points Microsoft External Staff

2024-03-05T07:52:32.23+00:00

Hi @Camille BARBIER

I am checking the status of this case. Please let us know if you would like further assistance.

Meanwhile, if the reply is helpful to you, please try to mark it as an answer, it will help others who encounter the same issue and read this thread.

Thank you for your understanding and patience!
Camille BARBIER 20 Reputation points

2024-04-02T15:47:34.7566667+00:00

Hi @Ran Hou-MSFT .

Thank you for your help.

After several weeks of use, the problem seems to be corrected.

Per-user MFA conflicted with conditional policy.

From now on, MFA is managed by the conditional policy.

Share via

Can we disable MFA after password change ?

0 additional answers

Your answer