Exclude MFA requirement temporarily

Iron Contributor

When we configure a replacement device, we disable MFA for the user temporarily so that we can work on the device/account.  We add the user to an AAD group which is excluded in the MFA conditional access policy.   When done working, we remove them from the group, and MFA is enabled again. 


We just had an incident where a large group of users was added to this exclusion by accident.  We also find users added to this group that get forgotten for days/weeks.  This is obviously not ideal.  We can do a few things to improve our internal process, but I'm just wondering what others are doing to disable MFA in these situations?  It would be really cool if we could disable MFA temporarily for a user and Azure automatically enabled it again after 24 hours or something.  

2 Replies
This - Thanks for the tip! It requires 2 steps - to enable TAP on the 365 admin side for users, but also to push a policy to all the devices allowing web sign in. Once deployed, it seems to be exactly what we need to avoid disabling MFA for the users. It also will prevent us from having to change the user's password to work on their computer, so an added time save!