SOLVED
Home

Question on: MFA should be enabled on accounts with owner permissions on your subscription

%3CLINGO-SUB%20id%3D%22lingo-sub-836497%22%20slang%3D%22en-US%22%3EQuestion%20on%3A%20MFA%20should%20be%20enabled%20on%20accounts%20with%20owner%20permissions%20on%20your%20subscription%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-836497%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Everyone%2C%20we%20have%20an%20Azure%20emergency%20account%20that%20is%20not%20enabled%20for%20MFA%20and%20therefor%20this%20user%20shows%20up%20on%20the%20%22MFA%20should%20be%20enabled%20on%20accounts%20with%20owner%20permissions%20on%20your%20subscription%3CSPAN%3E%22%20Warning.%20Is%20there%20a%20way%20to%20exclude%20just%20a%20single%20user%20from%20this%20policy%20or%20do%20I%20have%20to%20disable%20this%20security%20completely%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ERegards%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EGunter%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-836497%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-836646%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20on%3A%20MFA%20should%20be%20enabled%20on%20accounts%20with%20owner%20permissions%20on%20your%20subscription%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-836646%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F99256%22%20target%3D%22_blank%22%3E%40Gunter%20Danzeisen%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eyou%20cannot%20exclude%20the%20account%20from%20the%20policy.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOn%20the%20other%20hand%2C%20I%20always%20suggest%20other%20ways%20to%20bypass%20the%20MFA.%3C%2FP%3E%0A%3CP%3Eone%20way%20is%20to%20create%20a%20trusted%20location%20in%20conditional%20access%20or%20just%20add%20the%20trusted%20IPs%20at%20the%20Office%20365%20MFA%20page.%20Then%20create%20a%20rule%20for%20this%20account%20to%20exclude%20MFA%20on%20trusted%20locations.%3C%2FP%3E%0A%3CP%3EAn%20other%20way%20is%20to%20create%20a%20%22back%20door%22%20account%2C%20as%20Dr%20Nestori%20suggests%20%3A%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Fo365blog.com%2Fpost%2Faadbackdoor%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fo365blog.com%2Fpost%2Faadbackdoor%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Gunter Danzeisen
Occasional Contributor

Hi Everyone, we have an Azure emergency account that is not enabled for MFA and therefor this user shows up on the "MFA should be enabled on accounts with owner permissions on your subscription" Warning. Is there a way to exclude just a single user from this policy or do I have to disable this security completely?

Regards,

Gunter

1 Reply
Highlighted
Solution

Hello @Gunter Danzeisen 

you cannot exclude the account from the policy. 

On the other hand, I always suggest other ways to bypass the MFA.

one way is to create a trusted location in conditional access or just add the trusted IPs at the Office 365 MFA page. Then create a rule for this account to exclude MFA on trusted locations.

An other way is to create a "back door" account, as Dr Nestori suggests : http://o365blog.com/post/aadbackdoor/

Related Conversations