MFA Shows Disabled, But Being Used

Copper Contributor

When I visit Azure Active Directory -> Users -> Multi-Factor Authentication, our initial accounts show "Multi-Factor Auth Status" as "Disabled", but we are seeing MFA prompts.  I find it confusing that something shows "disabled" that is really turned on somehow???  Is there more than one type of MFA?


We just received a trial for G1 as part of building a use case for moving to Office 365.  I setup the tenant space by confirming our identity and I am a Global Administrator.  I was prompted to setup MFA on my second logon, but I don't recall being offered any option other than text message.  My understanding is that I had to turn on MFA for our accounts so I just setup SMS to get logged on the second time.

24 Replies
I'll haveaa look into that next time I get a chance!

Thanks for your update!

@LibraryITGuy   I found the Password Reset was "selected" to all users in our company, maybe it causes the MFA prompts even if it shows Disabled in the M365 admin portal. The security default is disabled.


Another issue is, if the user lost his mobile phone and need to reset MFA, where should I reset it ?  Usually, I set it in the M365 MFA portal ->Manage user settings-> ticked all the three selections, and then save.   


" Require selected users to provide contact methods again

  Delete all existing app passwords generated by the selected users

  Restore multi-factor authentication on all remembered devices "



But now I got the error: 

"MFA methods can’t be removed for the currently signed-in user account. Please visit for self operations."  The url redirects to my account profile->security info.   I know that I can delete the MFAed device, while if I already lost my mobile phone, how can I login to my account to do that by myself?

@Germaum thank you a lot! Worked perfectly.

@LibraryITGuy- this was a great help, I was going crazy with this login loop issue, I'm an admin as well as a user so I think since I was set for MFA automatically (?) this started acting up as soon as I migrated to Win 11 for some reason. Removing MFA on my login made no difference until I tried your solution.


Anyone trying this solution be aware it can take quite a few minutes to take effect.

Thanks, this was it for me. It was not the Device MFA settings or the legacy setting or the CA. It was the Identity Protection