How to disable MFA from Azure AD

AgatSaaS 11 Reputation points

I want to disable MFA in Azure AD.
When I go to Azure AD -> Users -> Multi Factor Authentication, I can see that MFA is disable.
However, whenever I am logging to the Azure Portal I am required to insert a code sent to my mobile device. Why is that?

Another thing, each user is required to use MFA. I do not want to force that. How can I disable this?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,741 questions
{count} votes

6 answers

Sort by: Most helpful
  1. Vasil Michev 71,216 Reputation points MVP

    This is most likely because of the Security defaults feature:
    Read the article above to learn more about it, including how to disable it if needed (although not recommended).

    11 people found this answer helpful.

  2. soumi-MSFT 11,651 Reputation points Microsoft Employee

    @AgatSaaS , There are only two ways to enable and disable Azure MFA in AAD.

    1. Using Conditional Access policies
    2. Using the MFA service portal


    If the MFA for the users have been enabled using the CA policy, then it can be disabled only through the CA policy and if its enabled through the MFA service portal, then you can go to the service portal and select the users for whom you want the MFA to be disabled.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.

    4 people found this answer helpful.

  3. 2022-06-18T12:26:26.15+00:00

    Within the Azure AD there are 3 methods to configure MFA.

    1. By default there is an Azure Active Directory settings called - "Security Defaults". You can enable/disabled that in Azure Portal -> Azure Active Directory -> Properties -> Manage security defaults (link at the bottom of the page) -> Enable/Disable. If you disable it then the MFA will not be a default for all users and it will be controlled by the point 2 or 3 described below.
    2. Manual per-user MFA. This you can find and configure in Azure Active Directory. Azure Portal -> Azure Active Directory -> Users -> per-user multifunction authentication. There you can select all or single users and set them to MFA Disabled/Enabled/Enforced. In general it is recommended to use MFA as it improves user authentication security layer. But, there are cases where there may be requirement to disable MFA for particular or all accounts e.g. a business critical application which cannot function with the MFA enabled (or just a user lazyness or will). It is a rare case - most modern applications supports MFA - but there is such possibility.
    3. Conditional Access - if you have Azure Active Directory P1 or P2 Premium license then you can disable Microsoft security defaults and next implement Conditional Access (policies) to e.g. enforce MFA for the Global Administrators, administrative accounts, general users, but for example exclude MFA for a specific accounts e.g. for that business critical legacy apps which do not support MFA or just a "lazy" who do not want to use MFA as well - - not recommended but it is possible to configure) A strong password would be a good practice in that case to have some minimal security at least. Within the Conditional Access policy you can configure additional elements to improve the security.

    If you would like to configure Conditional Access and have some knowledge about the MFA the good article has been mentioned above:\

    and one more:\

    Best regards,
    Tomasz Wieczorkowski

    3 people found this answer helpful.
    0 comments No comments

  4. Ĵerome L 196 Reputation points

    What is your use case? Best practice is to have MFA enabled but set Conditional Access to whitelist things, like your Office IP address or even registered devices.

    1 person found this answer helpful.

  5. Viaguladas, Rinaldo 1 Reputation point

    As ColinSmith mentioned, this could be coming from the local "Windows Hello PIN".

    Heres how to disable it from the Registry:

    Press Windows key and R key together to open Run dialog.
    Type regedit in the box and click OK to continue.
    Navigate to the path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowSignInOptions.
    In the right panel, double-click on the DWORD entry named value and set it to 0.

    Have a great day!

    0 comments No comments