cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exclude MFA requirement temporarily

Eric_H
Iron Contributor

‎May 01 2023 02:53 PM

‎May 01 2023 02:53 PM

Exclude MFA requirement temporarily

When we configure a replacement device, we disable MFA for the user temporarily so that we can work on the device/account.  We add the user to an AAD group which is excluded in the MFA conditional access policy.   When done working, we remove them from the group, and MFA is enabled again. 

 

We just had an incident where a large group of users was added to this exclusion by accident.  We also find users added to this group that get forgotten for days/weeks.  This is obviously not ideal.  We can do a few things to improve our internal process, but I'm just wondering what others are doing to disable MFA in these situations?  It would be really cool if we could disable MFA temporarily for a user and Azure automatically enabled it again after 24 hours or something.  

Labels:
1,311 Views
0 Likes
2 Replies
Reply
2 Replies
Eric_H

‎May 11 2023 02:37 PM

‎May 11 2023 02:37 PM

Re: Exclude MFA requirement temporarily

This - Thanks for the tip! It requires 2 steps - to enable TAP on the 365 admin side for users, but also to push a policy to all the devices allowing web sign in. Once deployed, it seems to be exactly what we need to avoid disabling MFA for the users. It also will prevent us from having to change the user's password to work on their computer, so an added time save!
0 Likes
Reply