Forum Discussion
Disable MFA for User with certain admin roles
Hello all,
we have a user with sharepoint administrator role and a self build application support manager role (the suer is allowed to create apps in Azure). We are now at a point where this user has to register an app for our helpdesk tool, but we have to remove the MFA for the registration. We excluded the user from the "MFA is mandatory for all users"-policy, the "MFA is mandatory for admins"-policy and set his MFA in the MFA-per-user setting on disabled. We have no other policy that enforces MFA for this user.
Wenn we try to log in with the user (under http://www.office.com), we still get the request to register MFA Authenticator.
I am aware that MS enforced MFA for admins, when they try to log in into the admin portals. Does this also apply for sharepoint admins?
Does anyone have an idea, where the MFA request for this user could come from.
Any help is appreciated.
Cheers,
Erik
2 Replies
The requirement applies to all users, regardless of any admin roles assigned. But for the time being, it is for specific admin portals/tools only. If you are seeing the same behavior when accessing "end user" pages, likely the prompt is due to the Self-service password registration flow, or one of the features outlined here: https://learn.microsoft.com/en-us/answers/questions/645850/what-are-the-services-settings-that-can-cause-mfa
Hi Erik,
It sounds like you've covered all the usual bases for disabling MFA, but the persistent prompt suggests there might be another enforcement mechanism at play. Here are a few possibilities:
- Security Defaults – If your tenant has security defaults enabled, MFA is automatically enforced for all admins, including SharePoint administrators.
- Conditional Access Policies – Even if you've excluded the user from specific MFA policies, there might be a Conditional Access policy requiring MFA for SharePoint Online.
- Legacy Authentication Restrictions – Some legacy authentication methods may trigger an MFA prompt even if per-user MFA is disabled.
- Entra ID Role-Based MFA Enforcement – Microsoft Entra ID enforces MFA for certain privileged roles, including SharePoint administrators.
You might want to check the Microsoft Entra admin center to see if security defaults are enabled or if any Conditional Access policies are affecting this user. If security defaults are enabled, disabling them might resolve the issue. Microsoft enforces MFA for admins accessing admin portals through Conditional Access policies. This applies to roles such as Global Administrator, Exchange Administrator, Security Administrator, and SharePoint Administrator.
To check where this enforcement is configured, follow these steps in the Microsoft Entra admin center:
- Conditional Access Policies
- Navigate to Identity > Conditional Access > Policies.
- Look for policies enforcing MFA for Microsoft Admin Portals.
- If enabled, this policy requires MFA for admins accessing portals like Microsoft Entra, Microsoft 365, Exchange, and Azure.
- Security Defaults
- Go to Identity > Overview > Properties.
- If Security Defaults are enabled, MFA is enforced for all admins, including SharePoint administrators.
- Admin Portals MFA Policy
- Microsoft has a specific Conditional Access policy requiring MFA for admin portals.
- This applies to Microsoft Entra, Exchange, Intune, Defender, and Microsoft 365 admin centers, but not yet to SharePoint or Teams admin centers.
If your SharePoint admin is still being prompted for MFA, check if they are covered under Security Defaults or another Conditional Access policy. Let me know if you need help troubleshooting further!
https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-old-require-mfa-admin-portal
