How to disable MFA for a single user

In my experience, the answer is anything but straightforward, in most cases. The exact process depends on a host of various factors, including what policies in place, admin permissions of the user, Azure subscriptions, whether this is for a new user or an existing user, (if it an existing user) whether MFA has already been configured on the account, and much more.

The complexities involved is probably why it is so hard to find a clear AND accurate answer to this seemingly-simple question that works for everyone.

With that said, for smaller organizations using Microsoft 365 Basic or Premium licenses with no additional Azure subscriptions who are trying to disable MFA for a user that has already registered for it, I think this GUI-only, non-PowerShell process might answer the question:

1. Disable Security Defaults for the organization. (If this is enabled, it acts as an “override all” and gives no flexibility to disable individual users, regardless of what you seem to see elsewhere in the admin environment.)
   1. https://portal.azure.com/#blade/Microsoft_AAD_ConditionalAccess/SecurityDefaults
   2. Alternatively, scroll to the bottom of this page and click the “Manage security defaults” link: https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties
2. Ensure that MFA is disabled for the user in question. https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?BrandContextID=O365
   1. Optionally, ensure that MFA is enabled or enforced for all other users. (HIGHLY recommended!)
3. Revoke previous MFA configurations on the user.
   1. https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers/menuId/
   2. Select the user from the list
   3. In the “Manage” section of the left menu for the user, select “Authentication methods”
   4. From the toolbar above the resulting pane, click “Revoke multifactor authentication sessions”. You may need to click the ellipsis (three dots) on the toolbar to view that choice.

Again, there are myriads of places to invoke policies and set other MFA-related settings, so this process will definitely not work for everyone's environment. The above links will likely change in time, and I may even have left out some prerequisite steps! But hopefully it gives some clarity to someone.

Hello COTM admin,

The answer is very straight forward. You can disable MFA on single basis through:

Go to Microsoft 365 admin center -> Users -> Active users -> Select the user -> Manage multifactor authentication -> Select the user -> Disable multi-factor authentication.

--If the reply is helpful, please Upvote and Accept as answer--

You need disable MFA security defaul at Microsoft entra and create a conditional access that disable it

Microsoft Entra... which one is that, the one labeled "IDENTITY", because microsoft C-level idiots are still busy with their branding circle-jerk?

currently have a ticket open (sort of) 365 support is telling me i need to speak to Azure.

I am not an Azure customer. (at least i thought i wasn't... im getting charged $29/month for a subsciption... next on my list is figuring out what the heck that is.)

Again, as NOT AN AZURE CUSTOMER, i don't expect to get my 365 questions shoved onto someone else. But that's MS's strategy with 365 now... put the responsibility for support on someone else, because support is expensive, even when you outsource it.

So, 365 support tells me i need to open a ticket with Azure support. Even give me a link telling me how to do it... but it doesn't work. i don't get the option to open a ticket anywhere in Azure. I guess the Azure support team is sick of 365 support team's shit, and i have to suffer. Do you understand how hard these guys worked to try to get me over to Azure support? They were trying to get someone on the phone (couldn't), tried 15 different ways over 2 hours to log in a figure out how to open a ticket with Azure... the ticket is still open. Not for what i needed help for, for figuring out how i can open a ticket with Azure support. Multiple phone calls and email trying to figure out how to dodge the responsibility.

Either way, i still can't do what i need to do. No one can give me a solution, or even a work-around. service@ is a full email account, but it is not a USER account. it is a SYSTEM account needed for our CRM's email connector. I can't have the user install an authenticator.. there is no user! i can install it on my phone, but what do my coworkers do tomorrow when i call out???