How to disable MFA from Azure AD

AgatSaaS 26 Reputation points
2020-04-20T08:07:58.997+00:00

I want to disable MFA in Azure AD.
When I go to Azure AD -> Users -> Multi Factor Authentication, I can see that MFA is disable.
However, whenever I am logging to the Azure Portal I am required to insert a code sent to my mobile device. Why is that?

Another thing, each user is required to use MFA. I do not want to force that. How can I disable this?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,441 questions

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 95,096 Reputation points MVP
    2020-04-20T08:17:37.653+00:00

    This is most likely because of the Security defaults feature: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults
    Read the article above to learn more about it, including how to disable it if needed (although not recommended).

    12 people found this answer helpful.
  2. ITON Technologies - Tomasz Wieczorkowski 146 Reputation points
    2022-06-18T12:26:26.15+00:00

    Within the Azure AD there are 3 methods to configure MFA.

    1. By default there is an Azure Active Directory settings called - "Security Defaults". You can enable/disabled that in Azure Portal -> Azure Active Directory -> Properties -> Manage security defaults (link at the bottom of the page) -> Enable/Disable. If you disable it then the MFA will not be a default for all users and it will be controlled by the point 2 or 3 described below.
    2. Manual per-user MFA. This you can find and configure in Azure Active Directory. Azure Portal -> Azure Active Directory -> Users -> per-user multifunction authentication. There you can select all or single users and set them to MFA Disabled/Enabled/Enforced. In general it is recommended to use MFA as it improves user authentication security layer. But, there are cases where there may be requirement to disable MFA for particular or all accounts e.g. a business critical application which cannot function with the MFA enabled (or just a user lazyness or will). It is a rare case - most modern applications supports MFA - but there is such possibility.
    3. Conditional Access - if you have Azure Active Directory P1 or P2 Premium license then you can disable Microsoft security defaults and next implement Conditional Access (policies) to e.g. enforce MFA for the Global Administrators, administrative accounts, general users, but for example exclude MFA for a specific accounts e.g. for that business critical legacy apps which do not support MFA or just a "lazy" who do not want to use MFA as well - - not recommended but it is possible to configure) A strong password would be a good practice in that case to have some minimal security at least. Within the Conditional Access policy you can configure additional elements to improve the security.

    If you would like to configure Conditional Access and have some knowledge about the MFA the good article has been mentioned above:

    https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults\

    and one more:

    https://learn.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication\

    Best regards,
    Tomasz Wieczorkowski

    7 people found this answer helpful.
    0 comments
  3. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-04-20T08:20:17.147+00:00

    @AgatSaaS , There are only two ways to enable and disable Azure MFA in AAD.

    1. Using Conditional Access policies
    2. Using the MFA service portal

    7536-mfaenable.png

    If the MFA for the users have been enabled using the CA policy, then it can be disabled only through the CA policy and if its enabled through the MFA service portal, then you can go to the service portal and select the users for whom you want the MFA to be disabled.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.

    5 people found this answer helpful.
  4. jLight 201 Reputation points
    2020-04-20T14:41:14.79+00:00

    What is your use case? Best practice is to have MFA enabled but set Conditional Access to whitelist things, like your Office IP address or even registered devices.

    2 people found this answer helpful.
  5. Viaguladas, Rinaldo 6 Reputation points
    2021-06-25T10:05:21.653+00:00

    As ColinSmith mentioned, this could be coming from the local "Windows Hello PIN".

    Heres how to disable it from the Registry:

    Press Windows key and R key together to open Run dialog.
    Type regedit in the box and click OK to continue.
    Navigate to the path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Settings\AllowSignInOptions.
    In the right panel, double-click on the DWORD entry named value and set it to 0.

    Have a great day!

    1 person found this answer helpful.
    0 comments