question

ChrisStephens-6403 avatar image
0 Votes"
ChrisStephens-6403 asked MarileeTurscak-MSFT answered

How do I DISABLE MFA for some users?

MFA is good to protect users login

However, I need to ocassionally disable MFA for select users

The O365 / Azure was setup by someone before I have got involved.

Some user are Enforced other are enabled and some are disabled !

I've checked for Policies in Conditional access - NO Policies set

I have tried disabling some of the ones that are enabled but doesn't seem to change !

Another thing is PIN - users dislike PIN requirement
How can I do away with PIN altogether

azure-managed-identity
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

Hi @ChrisStephens-6403,

It sounds like the previous setup used per-user MFA, but you might have security defaults enabled on the tenant at the same time. If users are enrolled in per-user MFA, their state will show up as "Enabled" once enrolled in MFA and "Enforced" once they have signed in and registered for MFA.

If your tenant has Security Defaults enabled, users will be prompted for MFA regardless of their per-user status. Security defaults requires all users to register for MFA, but does not require MFA for all users at all times. Instead, users will be prompted for Multi-Factor Authentication based on factors such as location, device, and role.

If you want to use per-user MFA alone, you can disable security defaults under Azure Active Directory > Properties > Manage Security Defaults > Enable Security Defaults > No.

Otherwise if you have either Security Defaults or Conditional Access enabled, the per-user Disabled/Enabled/Enforced settings won't matter and the Security Default or Conditional Access settings will trump those settings.

There is no way to solely disable PIN for AD joined users, as this is a Windows Hello For Business requirement and it is the fallback mechanism when other providers are unavailable. But we do have the option to use multifactor unlock to use bio-metric as the first provider. PIN can also be skipped if you have ADFS, but the PIN would still be required for the initial setup. Also, if it's a Windows 10 desktop version 1607 or above that you are Azure AD joining you can actually disable Windows Hello for Business with a setting in Intune. Note though that for Windows 10 Mobile this setting will not have any effect since it's by design that Windows 10 Mobile devices will bypass this setting when Azure AD joining these devices.

Let me know if this helps!

Marilee



If the information provided was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.