How to disable MFA for all users except the admins in the M365

Posted on 28. July 2024 by Armend

For a number of reasons, I am often asked how to disable MFA for all users except the administrator in M365 , for example for: educational institutions like schools, etc…

If you don’t want to do it, you can still limit access to specific IPs or networks. This can be done under the ‘Network’ settings by selecting ‘Any network’ or specifying particular locations. However, I’ll explain this topic in more detail in another post.

To disable multi-factor authentication (MFA) for all users except the administrator in a Microsoft 365 environment using Conditional Access, the following steps are required:

Steps to Disable MFA

  1. Sign in to the Entra ID: Sign in with your administrator account in the Entra ID.
  2. Access Entra Active Directory: Protection” in the left menu.
  3. Manage Security Defaults: Select “Identity Protection” and then click on “Conditional Access.”
  4. Conditional Access: To disable MFA for specific or all users except administrators, you need to create a Conditional Access policy.
    In to “Conditional Access” create a new policy that includes MFA for all users except the administrator.
    Under Users select All users but under Exclude Users and groups and select ether Admin Groups or individual Admins.
    Under “Target resources” select All cloud apps,
    Under “Grant” just select Grant Access but nothing under it and “For multiple Controls” Require all the selected controlls.
    Under Session select Persistent browser session and than Always persistent.
  5. Enable the Policy: Ensure that the policy is enabled and test the settings to confirm that the MFA requirements are applied as desired.

Additional Notes

  • Test and Training Environments: Disabling MFA can be appropriate in test or training environments but should be approached with caution in production environments, as MFA is an important security measure.
  • User Management: Make sure that all users affected by the MFA exemption are properly managed in Azure Active Directory.

By following these steps, you can effectively disable MFA for all users except the administrators in your Microsoft 365 environment.

About Armend

Hi there! I'm an IT professional with a passion for writing. My journey in the tech world began with a fascination for computers and technology, which eventually led me to a fulfilling career in IT. But beyond the world of codes and networks, I've always had a love for storytelling and the written word.
This entry was posted in Entra ID (Azure), M365 and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *