Unable to disable 2FA for single user

Question

Attempting to disable 2FA on a single user but impossible to do so, every time the user logs in again after resetting the MFA it asks to configure it again.

Tried the following:

1. Exclude user from all conditional access policies, if I run a what if with this user it shows no access policies should be applied. Still keeps asking for 2FA configuration.
2. Disabled Multifactor authentication registartion policy
3. Attempted to disable through powershell command: Set-MsolUser -UserPrincipalName $user.UserPrincipalName -StrongAuthenticationRequirements @()
4. Checked config under "Microsoft entra ID -> Users -> Per-User MFA" all is disabled here.
5. Checked config under "Microsoft entra ID -> Overview -> Properties -> Security defaults, these are disabled as of the user of conditional access policies.

I am not sure where to look anymore and have been looking for quite a while now.

Need to disable the 2FA for troubleshooting and testing purpose.

Answer 1

@Kasper Hermkens

Thank you for posting this in Microsoft Q&A.

MFA prompts can happen due to below reasons.

• Security defaults
• Registration campaign
• Conditional access policies
• Per-user MFA
• Identity protection

Security Defaults: Someone might have enabled security defaults in your tenant. There are some basic controls that security defaults enforces,

1. Requiring all users to register for multifactor authentication
2. Requiring administrators to do multifactor authentication
3. Requiring users to do multifactor authentication when necessary
4. Blocking legacy authentication protocols
5. Protecting privileged activities like access to the Azure portal

Out of the basic controls in security defaults, the first option "Requiring all users to register for multifactor authentication" requires all users to register for MFA.

This doesn't mean that all users will be prompted for MFA. MFA will be only prompted only where Entra sees any abnormality in sign-in, it will prompt for MFA. 

If you do not want the MFA registration prompts for all users, then you can disable security defaults by logging in to Entra ID portal using Global admin credentials, and then browse to Identity>>Overview>>Properties and Manage security defaults. Disable security defaults.

 

Registration campaign: The purpose of Microsoft launching registration campaign is to help organization users move away from SMS and Voice authentications.

With this registration campaign users in your organization who are relying on SMS and voice for MFA will be prompted to use the Microsoft Authenticator app.

This means this program will get applied to only those users who are using SMS and Voice method for MFA. If you disable the registration campaign, then there will be NO IMPACT of users who have already registered for authenticator app.

Users will still be prompted for MFA depending on what authentication method you have assigned to them for registration or what method they have used while MFA registration initially.

 

Conditional access: Conditional Access is Microsoft's Zero Trust policy engine taking signals from various sources into account when enforcing policy decisions.

Conditional Access policies at their simplest are if-then statements; if a user wants to access a resource, then they must complete an action. For example: If a user wants to access an application or service like Microsoft 365, then they must perform multifactor authentication to gain access.

You can check your conditional access policy that are created and make sure the the impacted users are not part of any CA policy which requires MFA for access the resources.

Let me know if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.