May 01 2023 02:53 PM
When we configure a replacement device, we disable MFA for the user temporarily so that we can work on the device/account. We add the user to an AAD group which is excluded in the MFA conditional access policy. When done working, we remove them from the group, and MFA is enabled again.
We just had an incident where a large group of users was added to this exclusion by accident. We also find users added to this group that get forgotten for days/weeks. This is obviously not ideal. We can do a few things to improve our internal process, but I'm just wondering what others are doing to disable MFA in these situations? It would be really cool if we could disable MFA temporarily for a user and Azure automatically enabled it again after 24 hours or something.
May 02 2023 08:10 AM
May 11 2023 02:37 PM