Intro
By default, new Microsoft Entra tenants will have MFA enforced for all users and prompt them to setup Microsoft Authenticator on first sign-in. While this is great for security, in can be cumbersome in some cases (e.g. user can't download Authenticator), so some administrators way wish to exclude certain user accounts from this requirement. With a handful of steps and a little bit of patience, you can configure this in Microsoft Entra.
We'll do this by creating a security group that we can add users to, and then configuring this group as an exclusion for a few different settings. By using this method, we can leave all of Entra's Security Defaults in place for the tenant, and only targeting the users we know we specifically want to override them for.
Note: you should understand and consider the risks of disabling MFA for certain users before proceeding. We strongly recommend that all users with a directory role (e.g. Global Administrators, Security Administrators) always have MFA configured.
Step-by-Step
1. Login to the Microsoft Entra admin center with an administrator account
2. From the left-hand nav menu, scroll to Groups > Overview
3. From the Overview page , click New group
4. Leave the Group type as Security, and give your group a name (we're calling ours "ExcludeMFA"). You can also provide a description if desired. We recommend leaving all of the other settings to their defaults
5. When ready, click Create. Keep in mind, when you are returned to the Groups page, you may need to refresh the page to see your new group
6. From the left-hand nav menu, scroll to Protection > Authentication methods
7. From Authentication methods | Policies, click on the Microsoft Authenticator method
8. In Microsoft Authenticator settings, click on the Exclude tab, and click Add groups
9. In the Add groups dialog, check the box next to the security group you just created ("ExcludeMFA" for our example), click Select, and then Save
10. Back on the Authentication methods | Policies page, click on the Registration campaign tab
11. Next to Settings, click Edit and then Add users and groups
12. In the Add groups dialog, check the box next to the security group you just created ("ExcludeMFA" for our example), click Select, and then Save
13. Back on the Authentication methods | Registration campaign page, click on the Settings tab
14. Under System-preferred multifactor authentication, click on Exclude > Select group
15. In the Select group dialog, check the box next to your security group, click Select and then Save
16. You're now ready to add users to your security group! You can either do this individually or by in bulk by navigating to Users > All Users
17. On the Users page, select the users you want to add to the group, and then click Edit (Preview) > Add to group
18. In the Add to group dialog, check the box next to your security group and click Select
19. You'll also be able to add new users to this group immediately while creating them. When creating a new user, click Add group on the Assignments page and select the group
IMPORTANT:
Keep in mind, these settings will NOT take effect immediately. It usually takes ~10 minutes for the security settings to propagate, and if a user signs in for the first time before then, they'll still be prompted to setup Microsoft Authenticator. After this time though, they should no longer be taken through the setup prompts!
Conclusion
While excluding certain users from MFA in Microsoft Entra may not be the most straightforward process, the good news is you only need to follow these steps once. Now that you have a security group just for this purpose, adding users to this group only takes a few clicks! Thanks for reading, and for all of your Microsoft consulting and licensing needs, contact Cosmistack!
