Disable Azure AD MFA Interrupt Mode for a group of users

0
votes

I'm creating a set of hands-on lab users in my Azure AD for access to Azure Labs. We will reuse these user accounts (and reset the passwords after every lab session).

My challenge is that these users are being required to configure MFA. Which I THINK is called the Azure AD Interrupt Mode described here.

Is there a way to exclude these group of users from being required to set this up? enter image description here

2
azure-active-directoryazure-lab-services
So we found a way where we still configure the MFA details but use Conditional Access policies to exclude requiring MFA upon sign-in. It works, but we still have to set the MFA details for each lab user... This workaround is quite a painful process esp since there seems to be no way to bulk update the MFA details (e-mail and phone number) via powershell. I will share the details of this workaround if someone can confirm that this is the only way at the moment.Rafferty

2 Answers

1
votes

I think this can be disabled entirely by navigating to Azure AD - Default Directory - Properties - Manage Security Defaults (right at the bottom of the page) - Enable Security Defaults - set it to No.

If it's per user basis, then Navigate to Azure AD - All users - Per User MFA - this will list all the users and then you can select "n" number of them to either enable or disable MFA.

0
votes

// Answering my own question and hope it helps someone.

The first and obvious step is to disable MFA. This is described in this link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

After this, however, you may still face the interrupt wizard as shared in the screenshot of the question above. This is due to Self-Service Password Reset (SSPR) being enabled. If SSPR is enabled, then MFA is still required for them to be able to do a password reset.

Solution 1: If you want SSPR enabled, then create a Conditional Access policy requiring MFA upon sign in.

  • This way, MFA is only triggered when user wants to do an SSPR.
  • For this lab user scenario, you will still have to set-up MFA one-time for each of the users (you may use the same contact details).

Extra note: I tried setting the MFA details by bulk using PowerShell. However, it is not possible to set an MSOL user object's StrongAuthenticationUserDetails property.

Solution 2: Disable SSPR or limit to selected users using AD groups

  • Don't include the lab users in the selected users group. Since SSPR is not allowed for these users, the extra MFA details won't be asked of these users anymore.
  • Drawback: The setting is to include user groups which should have SSPR. There's no option to exclude just the lab users.

Solution 2 works for me but may not work for everyone.