Introduction
Multi-Factor Authentication, abbreviated as MFA, is a security procedure mandating individuals to furnish several forms of identification before being granted access to a system, application, or account. The primary objective of MFA is to augment security by introducing an additional layer beyond the conventional username and password, mitigating vulnerabilities to potential attacks like phishing or password guessing.
Although MFA has many advantages but there are scenarios where it may act as a disadvantage. We will discuss several use cases where we require MFA to be disabled. Further, we will discuss steps how to disable MFA.
Use Cases
- Manual Testing: A company is deploying a web app with Multi-Factor Authentication (MFA). Manual testing reveals user confusion and workflow inefficiencies with MFA. To address usability concerns, the testing team recommends temporarily disabling MFA for specific user roles. This allows focused testing and refinement before re-enabling MFA.
- Automation and Scripting: The integration of MFA with automated testing or scripting may face challenges. A practical approach may involve temporarily disabling MFA for specific accounts during automated testing, with the condition that thorough consideration and addressing of security implications are undertaken.
- Manual Deployment Steps: For critical post-deployment tasks in Power Platform such as updating connectors and adjusting settings, MFA is temporarily disabled for a service account, allowing streamlined manual execution. Enhanced security measures are in place during the process, and MFA remains disabled for efficiency.
- Training and Onboarding Costs: If MFA creates complexity for end-users, there might be expenses associated with training and onboarding. Temporarily deactivating MFA could mitigate these costs in the short term; however, it is essential to prioritize user education for long-term effectiveness.
There might be several other use cases as well. Now let's discuss how we can disable MFA.
Steps to disable MFA using Azure Portal
Step 1. Login to portal.azure.com with at least a security administrator role(I have Global Admin role in my case)
Step 2. Click on hamburger menu icon -> Go to Microsoft Entra ID (previously known as Azure Active Directory) as shown below:
Step 3. A new window for Microsoft Entra ID will open. On left hand side under manage click on properties. In properties scroll to the bottom and click on Manage Security defaults hyperlink as shown below:
Step 4. A new window will open on right hand side. Click on dropdown and select Disabled. In Reason for Disabling select 'My organization is using conditional access' (We will discuss conditional access further in this article) . Now click on Save as shown below:
If any warning pop-up appears select disable as shown below:
Step 5. After completion of above steps, MFA will be disabled for all users in the organization. This is not recommended, we should only disable MFA for specific users/group. To achieve this we will make use of Microsoft Entra conditional access. In search box type 'Microsoft Entra conditional access' and open the service as shown below:
Step 6. A new window will open. If logged-in user don't have 'Microsoft Entra ID P2' license, Create new policy option will be disabled for him. To raise a trial request for 'Microsoft Entra ID P2' click on highlighted hyperlink: Create your own policies and target specific conditions like cloud apps, sign-in risk, and device platforms with Microsoft Entra ID Premium. as shown below:
For detailed pricing and features of 'Microsoft Entra ID P2' refer following links: Features and Pricing
Step 7. A new pop-up 'Activate' will appear. Under 'Microsoft Entra ID P2' section click on Activate as shown below:
Step 8. A new window will open. Click on continue as shown below:
Step 9. Now click on 'Try now' as shown below.
Note: Please make sure you have payment method defined.
Step 10. Now click on continue. 'Microsoft Entra ID P2' trial license will be added.
We can verify the license by navigating to Home-> License as shown below:
Step 11. Now assign this license to yourself. Navigate to Users-> Active Users -> Click On more actions icon next to your user-> Click on Manage product licenses as shown below:
Step 12. A new pop-up will appear. Click on checkbox next to 'Microsoft Entra ID P2'. Click on save changes as shown below:
Step 13. Now go back to Azure Portal -> 'Microsoft Entra conditional access' and refresh the page. Verify 'Create new policy' buttons are enabled now. Click on 'Create new policy from templates' as shown below:
Step 14. Search for 'Require multifactor authentication for all users' and select the template. At bottom click on Review+Create as shown in image below:
Step 15. Give Policy name = 'Disable MFA for specific group/users' -> Click on create as shown below:
Step 16. Now we will add specific group/user for which we don't want MFA to be enabled in exclude list of policy created in Step 15. Click on refresh and then click on View all policies as shown below:
Step 17. Open ''Disable MFA for specific group/users' policy by clicking on it.
Step 18. In Users section -> Click on Exclude Tab -> Select Users and Groups -> Add users and groups for which MFA is to be disabled -> In Enable policy click ON -> Save as shown below:
In above Step 18, we excluded users sak2 and sakshamgupta from condition policy. Apart from these 2 users, for all other users MFA is enabled.
Similarly, we can create multiple condition policies based on requirements and add users to include/exclude lists accordingly.
Conclusion
We discussed how we can disable MFA for a particular set of users/groups using condition policies. This is the most efficient way of disabling MFA and is implemented in USE CASES discussed in this article. Please feel free to reach out in case any doubts or clarifications are required.
Note: MFA should be disabled only when it is really required and should be performed by an experienced resource/user as it is related to security.