Share via

How to fully disable an MFA for an Entra ID User

Petr Hecko 0 Reputation points
2025-10-02T20:42:20.38+00:00

Hello. I'm facing a frustrating issue, where I would like to have a service account that can login without MFA, but no matter what I try, it always asks the user to setup an MFA when trying to login with this user. This is causing issues in our pipeline job, as obviously MFA wouldn't work in this case.

The user has MFA disabled - this was done from the Entra ID menu -> users -> per user MFA -> user shows MFA as disabled.

I then checked where else the MFA could be enabled, if it's on tenant or subscription level, but I cannot find any place that would override this per-user MFA settings which clearly shows this user having disabled MFA.

Wonder if anyone could point me the right direction where I could fully disable the MFA requirement for this user? We do not have any conditional access policies set ourselves.

Thanks in advance!

Microsoft 365 and Office | Install, redeem, activate | For business | Windows
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vivian-HT 7,105 Reputation points Microsoft External Staff Moderator
    2025-10-03T04:20:21.69+00:00

    Dear @Petr Hecko,

    Thank you for posting your question in the Microsoft Q&A forum.

    To completely disable MFA for a specific Microsoft Entra ID user, you need to check all possible enforcement layers, because per-user MFA settings alone don’t guarantee that MFA won’t be required. Therefore, according to my research, here are some steps I recommend you try:

    Step 1: Verify Per-User MFA

    • Go to Microsoft Entra Admin Center > Users > per user MFA > User
    • Confirm the user shows MFA = Disabled
    • Check Authentication Methods
      • Go to Microsoft Entra Admin Center > Users > Scroll down to Authentication Methods, confirm there’s no policy requiring MFA for sign-in.
      • If the user is part of any group with enforced MFA, remove them.

    Step 2: Disable Security Defaults

    If your tenant was created on or after October 22, 2019, security defaults might be enabled in your tenant. To protect all of our users, security defaults are being rolled out to all new tenants at creation. After this setting is enabled, all users in the organization will need to register for multifactor authentication. For reference: Security defaults in Microsoft Entra ID

    Important: To configure security defaults in your directory, you must be assigned at least the Conditional Access Administrator role.

    Screenshot of the Microsoft Entra admin center with the toggle to enable security defaults

    Step 3: Check Conditional Access Policies

    Even if you didn’t create any, inherited or baseline policies might exist.

    • Go to Microsoft Entra Admin Center > Conditional Access > Policies.
    • Ensure there are no policies requiring MFA for this user or group.

    I hope this information is helpful. Please follow these steps and let me know if it works for you. If not, we can work together to resolve this.  

    Note: Please understand that our initial response does not always resolve the issue immediately. However, with your help and more detailed information, we can work together to find a solution.       

    Thank you for your patience and your understanding. If you have any questions or stuck on any steps, please feel free to reach out.

    I'm looking forward for your reply.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    User's image

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.