Forum Discussion

subhashsurana23's avatar
subhashsurana23
Copper Contributor
Jun 13, 2025

Hi Erik,

It sounds like you've covered all the usual bases for disabling MFA, but the persistent prompt suggests there might be another enforcement mechanism at play. Here are a few possibilities:

  1. Security Defaults – If your tenant has security defaults enabled, MFA is automatically enforced for all admins, including SharePoint administrators.
  2. Conditional Access Policies – Even if you've excluded the user from specific MFA policies, there might be a Conditional Access policy requiring MFA for SharePoint Online.
  3. Legacy Authentication Restrictions – Some legacy authentication methods may trigger an MFA prompt even if per-user MFA is disabled.
  4. Entra ID Role-Based MFA Enforcement – Microsoft Entra ID enforces MFA for certain privileged roles, including SharePoint administrators.

You might want to check the Microsoft Entra admin center to see if security defaults are enabled or if any Conditional Access policies are affecting this user. If security defaults are enabled, disabling them might resolve the issue. Microsoft enforces MFA for admins accessing admin portals through Conditional Access policies. This applies to roles such as Global Administrator, Exchange Administrator, Security Administrator, and SharePoint Administrator.

To check where this enforcement is configured, follow these steps in the Microsoft Entra admin center:

  1. Conditional Access Policies
    • Navigate to Identity > Conditional Access > Policies.
    • Look for policies enforcing MFA for Microsoft Admin Portals.
    • If enabled, this policy requires MFA for admins accessing portals like Microsoft Entra, Microsoft 365, Exchange, and Azure.
  2. Security Defaults
    • Go to Identity > Overview > Properties.
    • If Security Defaults are enabled, MFA is enforced for all admins, including SharePoint administrators.
  3. Admin Portals MFA Policy
  • Microsoft has a specific Conditional Access policy requiring MFA for admin portals.
  • This applies to Microsoft Entra, Exchange, Intune, Defender, and Microsoft 365 admin centers, but not yet to SharePoint or Teams admin centers.

If your SharePoint admin is still being prompted for MFA, check if they are covered under Security Defaults or another Conditional Access policy. Let me know if you need help troubleshooting further!
https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-old-require-mfa-admin-portal

Resources