Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Disable MFA if users have not registered in X amount of days

Copper Contributor

Hi Folks, is there a way to Disable MFA for out hybrid user identities (on-prem AD users synced to office 365/azure AD) who have not registered in 'X' amount of days for MFA. Currently, we have a script enabling MFA for users based on group membership but we would like to "time bound" the MFA registration component and after this time period expires, disable MFA for these users who haven't registered.

PS: We are aware that this is achievable via Conditional Access Policy(s) (P1) or MFA Registration Enforcement Policy (Azure P2 feature) but that is our long term approach which will take some time to implement. Looking for some guidance if this can be band-aid fixed in the interim Office 365 hybrid environment.

1 Reply

There is no built-in functionality for this, but you should be able to do it via PowerShell. Get a report of all the users, check the MFA status, check if there are any MFA methods/details configured, and if not, disable MFA. You have to use the old MSOnline module though, the AzureAD one doesn't expose MFA details.