Disable MFA if users have not registered in X amount of days

Hemant Agnesh
Frequent Visitor

Hi Folks, is there a way to Disable MFA for out hybrid user identities (on-prem AD users synced to office 365/azure AD) who have not registered in 'X' amount of days for MFA. Currently, we have a script enabling MFA for users based on group membership but we would like to "time bound" the MFA registration component and after this time period expires, disable MFA for these users who haven't registered.

PS: We are aware that this is achievable via Conditional Access Policy(s) (P1) or MFA Registration Enforcement Policy (Azure P2 feature) but that is our long term approach which will take some time to implement. Looking for some guidance if this can be band-aid fixed in the interim Office 365 hybrid environment.

1 Reply

There is no built-in functionality for this, but you should be able to do it via PowerShell. Get a report of all the users, check the MFA status, check if there are any MFA methods/details configured, and if not, disable MFA. You have to use the old MSOnline module though, the AzureAD one doesn't expose MFA details.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies