Disable Multi-Factor Authentication for Azure AD User

This guide provides instructions on disabling MFA for a user in Azure Active Directory.

In order to make the account accessible without using multi-factor authentication, you must temporarily disable Microsoft security defaults.

Warning!
Disabling Microsoft security defaults leaves your organization vulnerable to common identity-related attacks.

• No longer require all users to register for Azure AD Multi-Factor Authentication
• No longer require administrators to pass multifactor authentication
• No longer require users to pass MFA whenever Azure AD deems necessary
• Unblock legacy authentication protocols
• No longer require MFA for these services:
  • Azure portal
  • Azure PowerShell
  • Azure CLI

Disabling Security Defaults

1. Navigate to your Azure Active Directory overview page and click Properties.
2. Scroll all the way down. Click the link that reads Manage security defaults (or click here).
3. From the drop-down menu, select Disabled (not recommended). Then click Save.

Disabling MFA Per-User

1. Navigate to your Azure Active Directory Users page and click on Per-user multifactor authentication (or click here).
   
2. The Multi-factor authentication page will open in a new window. From the list, find the user for which you need to disable multi-factor authentication, check the box next to their name, and then click Disable on the right.
   
3. Click Yes when prompted to confirm the changes.
4. Open an incognito window (usually CTRL+SHIFT+N) and navigate to https://outlook.office365.com/. Given that you have the correct password for the account, you may now test to see whether you can login with the target user's credentials without being prompted to use multi-factor authentication.
5. Don't forget to restore Microsoft security defaults once you're finished accessing the target account by navigating to Manage security defaults, selecting Enabled (recommended) from the drop-down menu, and clicking Save.