Azure mandates new users to use authentication app when 2FA is disabled.

Copper Contributor



I've just started doing IT support for a small business. When adding a new user to a PC, Windows demands they create 2FA using the Microsoft authenticator phone app despite me having disabled it in as many places as I can. I don't think I have any overriding policies set up either. Attached photos of every configuration section I can find. Can anybody help?


Thanks.Authentication Methods Authentication Strengths.pngAuthentication Methods Policies.pngAuthentication Methods Settings.pngAuthentication Methods.pngDevices Device Security.pngMultifactor Authentication.png

3 Replies

Hello @DanTeck,


Disabling 2FA is not recommended.


Can you give us more information on the Entra Conditional Access blade please ?




The user account you are adding is a Microsoft account, not a local account. Microsoft accounts require 2FA by default, and you cannot disable it from the PC settings. You can either create a local account instead, or disable 2FA from the user’s Microsoft account settings1.
The user account you are adding is part of an Azure Active Directory (AAD) tenant, and the tenant has enforced 2FA for all users. You can check this by going to the Azure portal and looking at the Security settings for the tenant2. You can either disable 2FA for the user from the AAD portal, or contact the tenant administrator to change the policy.
The user account you are adding has previously enabled 2FA using the Microsoft Authenticator app, and the app is still registered as a verification method. You can remove the app from the user’s security info page1, or delete the app from the user’s old phone before installing it on the new phone3.