We occasionally need to disable MFA temporarily for users, only to turn it back on again after a short period of time.
We have scripts to enable it, but the following script to DISABLE MFA.
$sta = @()Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta
The problem is it also "forgets" all of the user's configurations and forces them to re-setup everything again.
Is there a way to DISABLE MFA without forgetting the user's settings?
This is what we use to enable:
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement$st.RelyingParty = "*"$st.State = "Enforced"$sta = @($st)Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta
What information is forgotten? can you write it into a different attribute then delete and pull it back in when re-enabling?