Disabling MFA for global admin

Question

Hi,

Got a strange problem, I'm a global admin for my small company Office365 (we use only business basic/standard licences) - though I'm not tech pro, just the most tech-savvy person in the office, so pls bear with me.

Sometime ago I turned on MFA via Authenticator app (can't remember exactly where) solely for my account, recently my Authenticator app on the phone was deleted and after restoring it from back up, it asks to resetup MFA code for my company account.

When I go to https://myaccount.microsoft.com/ - ADDITIONAL SECURITY VERIFICATION - it asks me to login with with MFA. I get only two options: via app notification or app generated code, obviously I can't provide any of them, because the Authenticator app asks to resetup MFA. There are no sms/call options and I can't proceed further.

However, I can freely login on O365 admin center, company's Azure Active Directory, my email account, etc. - it only asks for password, no MFA.

On O365 admin center, it says that MFA is disabled

On Azure AD, I can't do any changes in regards with MFA as we don't have it enabled for all organization

But when I check my account via Powershell, using cmd Get-MsolUser -UserPrincipalName xx@keyman .com | FL it shows that strong authentication is required for this account. the suggested script I found here didn't change anything

$AzureMFA=@()
Set-MsolUser -UserPrincipalName "xxx" -StrongAuthenticationMethods $AzureMF

and there are no conditional access policies turned on

what are my options?

Answer 1

Hi @pmartynas Thanks for your response. These endpoints are by default secured with MFA and you will always be prompted for proofup (2nd factor) if you try to set ADDITIONAL SECURITY VERIFICATION via https://myaccount.microsoft.com/?ref=MeControl or https://aka.ms/mfasetup, even when MFA is not enforced on the user account. This behavior can NOT be changed.

This is to prevent any malicious user from setting his phone number to be used as second factor of authentication if he somehow managed to get access to a user account with first factor of authentication.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Could you do me a favor and double check if you have Security Defaults turned on? In the Azure AD portal, go to properties, and at the bottom click "Manage Security Defaults"

If it is set to on, that will set the same policy as Require MFA for Admins by default. If that is off, then we can try another solution!

Answer 3

Hello @pmartynas

Below are the features that can be used to trigger MFA for a user account. You have already checked 3 & 4. Kindly check 1 & 2 as well.

1. Per user MFA: Azure Portal > Azure AD > Users > All Users > Multi-Factor Authentication
2. MFA for Risky Sign-ins: Azure AD Identity Protection > Sign Risk Policy > Control > Require multi-factor authentication.
3. Conditional Access Policy
4. Security Defaults

If you couldn't to identify what is triggering MFA, please share the correlation ID. I will try to track that to figure out what is triggering MFA.

In order to get the correlation ID, do not respond to MFA challenge and wait for the failure to occur. On the error screen, click on More Information and find the correlation ID. Please refer to below screenshot:

-----------------------------------------------------------------------------------------------------------

Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

Answer 4

@pmartynas Thank you for sharing the details. I tracked the request and found that MFA is explicitly enforced by the client application 'Microsoft App Access Panel'. Could you please confirm below information:

• Are you getting MFA prompt only when you access Microsoft App Access Panel? Or you get MFA prompt while accessing Azure portal/Office365 portal/Exchange Online as well?
• If you are getting MFA prompt only for Microsoft App Access Panel, are you using any custom link to access that? If yes, please share the link.

It would be helpful if you can share a fiddler capture. Please follow below instructions to capture a fiddler trace:
Setup:
• Download and install Fiddler from here: https://www.telerik.com/fiddler
• Follow these instructions to enable HTTPS capture: https://docs.telerik.com/fiddler/configure-fiddler/tasks/DecryptHTTPS (do step 1 and 2)
To get traces:
• Start fiddler (it will start capturing)
• Repro the issue.
• Stop fiddler capturing by hitting the F12 key.
• Save all sessions in .saz file and send via email to azcommunity[at]microsoft[dot]com with subject "Redirect to Amanpreet". I will analyze the capture and let you know.
Note: Fiddler may have credentials in plain text, So, I would suggest you to reset the password after reproducing the issue during fiddler capture.