In Microsoft 365 (Office 365), Multi Factor Authentication (MFA) is an authentication mechanism that uses more than one factor to authenticate a user. When completing user authentication, MFA adds an extra layer of protection. We’ll look at how to disable MFA in Microsoft 365 for all users or just one in this post.
The Azure Multi-Factor Authentication service is used for MFA in Microsoft 365. Microsoft 365 customers are urged to utilise one of the following MFA verification methods in addition to their password:
SMS message confirmation with one-time password;
A phone call is used to confirm the one-time password;
Using Microsoft Authenticator on a mobile device (available in Google Play for Android and in App Store for iOS devices). For sign-in confirmation in the Microsoft Authenticator app, you can use a one-time password (6 digits).
You may disable MFA for a user using PowerShell or the Microsoft 365 Admin Center web interface.
Hint: Your tenant’s Microsoft 365 Security Defaults must be deactivated.
Sign in to the Microsoft 365 Admin Center (https://admin.microsoft.com/) with an account that has tenant Global Administrator access.
Select Users > Active Users from the drop-down menu.
Select Multi-factor authentication from the drop-down menu.
A page containing a list of users in your Microsoft 365 tenant, as well as their MFA status, will display.
Click on a user’s name to disable MFA for that user;
In the right column (Quick Steps), you’ll see several buttons that let you to activate, disable, or adjust user settings; click Disable and confirm to disable MFA for the user.
On the Service Settings tab, you can configure additional MFA options. Here you can:
- Add a list of trusted IP subnets, which users don’t need to use MFA;
- Enable/disable certain MFA methods.
You can enable or disable MFA for a Microsoft 365 (Office 365) user using PowerShell. To accomplish this task, you need to use the MSOnline PowerShell module.
Check if the MSOnline module is installed on your computer:
Get-Module -Name MSOnline
If the module is missing, install it:
Install-Module MSOnlineConnect to your Microsoft 365 tenant:
$MSOCred = Get-Credential
Connect-MsolService -Credential $MSOCredTo check if MFA is enabled or disabled for a specific user, run the commands:
$user=Get-MsolUser –UserPrincipalName PattiF@theitbros.onmicrosoft.com
$user| select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}}
In this example, MFA is enabled for the user through the Microsoft Authenticator mobile app (PhoneAppNotification).Hint. One of four MFA methods can be enabled for the user:
- PhoneAppOTP
- PhoneAppNotification
- OneWaySMS
- TwoWayVoiceMobile
To display the MFA status for all Microsoft 365 tenant users, run:
$users= Get-MsolUser -all$users| select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationMethods.IsDefault -eq $true) {($_.StrongAuthenticationMethods | Where IsDefault -eq $True).MethodType} else { "Disabled"}}}|Format-Table
Get-MsolUser -UserPrincipalName PattiF@theitbros.onmicrosoft.com| Set-MsolUser -StrongAuthenticationRequirements @()