Disable MFA for a Single User Using Conditional Access Policy in Azure AD
So you want to Disable MFA for a Single User? It may be for a special case or a temporary disable for configuration purposes.
A well-executed MFA deployment acts as a fortified shield, tirelessly safeguarding M365 from malicious intruders. However, in some cases, like when using a break glass account to sign in or when running unattended scripts, bypassing MFA’s shield becomes necessary. So, how can you exempt such specific accounts from MFA ? That’s where the Conditional Access policies have come in!
Conditional Access policies can be utilized to disable MFA for a specific user account. This approach ensures that you can handle exceptional situations without compromising the overall security posture.
So, let’s learn how to disable MFA for a single user using the Conditional Access policy.
Choose CA Policies to Disable MFA for a Single User
While Security defaults provide a robust baseline for overall security, they might not offer the granularity needed to customize MFA settings for individual accounts. To address this need, organizations can leverage Conditional Access (CA) policies.
Having an Azure AD P1 or P2 license is the only prerequisite for creating a Conditional Access policy.
Points to Remember: Make sure to turn off Security defaults, if you have enabled for your tenant. Because you can’t use Security defaults and Conditional Access polices simultaneously.
Choose CA Policies to Disable MFA for a Single User
While Security defaults provide a robust baseline for overall security, they might not offer the granularity needed to customize MFA settings for individual accounts. To address this need, organizations can leverage Conditional Access (CA) policies.
Having an Azure AD P1 or P2 license is the only prerequisite for creating a Conditional Access policy.
Points to Remember: Make sure to turn off Security defaults, if you have enabled for your tenant. Because you can’t use Security defaults and Conditional Access polices simultaneously.
Disable MFA for a Single User Using Conditional Access Policies
To enable MFA for your organization and exclude a specific user from MFA, follow the steps below.
- First, sign-in to Microsoft Entra admin center.
- Then, navigate to the ‘Protection’ drop-down box and select the ‘Conditional Access’ option.
- Click on ‘ + Create new policy ‘ to create a new policy and give a suitable name for your policy.
- Under the Access controls section, grant access by selecting ‘Require multifactor authentication‘ from the ‘Grant blade’, and then click ‘ Select‘ to confirm your choice.
- Finally, enable the policy to ‘On’ mode and click ‘ Create ‘.
Under Assignment, add ‘ All users ‘ in the Include section and choose the exempted account in the Exclude section shown in ‘Users’ blade.
Thus, a Conditional Access policy that does not require MFA for the specified user account has been successfully created. So, the user is not prompted for Multifactor authentication.
Also, make sure you have selected All Cloud Apps in the “Target Resources Section. You will need the exclusion of MFA to apply to something!
That was easy!
Note:
If your organization already has Conditional Access (CA) policies in place, it’s best to create new ones instead of modifying existing policies. Remember, the more restrictive policy applies if a user is included in two conflicting policies regarding Multi-Factor Authentication (MFA).
Another Way – Users/Groups Sign-in to Resources via Trusted Network
Apart from the above-mentioned case, you can skip MFA for users or Groups under certain conditions. For example, you can skip MFA for a user or a group of members when they are accessing critical resources from a trusted office network using CA policy.
To achieve this, you need to create a named location using trusted IP range. Subsequently, add the named location in the conditions blade of the policy, targeting the selected users or groups based on your requirements.
The configured policy will exempt MFA for users/groups, when accessing critical resources from the trusted office network. However, when these users attempt to access the same resources from outside the office network, they will still be required to complete the MFA process.
Match an M365 Cloud Account with Local AD
OK, so you need to Match an M365 Cloud Account with Local AD? You just realized you created a cloud only account for a bunch of users in your M365 tenant, but you need them to access local AD resources because you run a Hybrid environment.
You are just not ready yet to pull the trigger and go “Cloud Only”. Don’t worry, you are not alone. I am here to help.
Reasons to Match an M365 Cloud Account with Local AD
There are many reasons to do this. I can think of two. One, you are still running on on-premises Exchange Server and there are some email groups that the account(s) you created in the cloud need access that are only available locally.
The same goes for AD security groups and other attributes that can only be accessed through local AD.
The Easiest Way to Achieve This
The easiest way to Match an M365 Cloud Account with Local AD is to basically create an account in your local AD with the minimum attributes to make what is called a “soft match”. Local AD and the cloud will see them as the same record and synchronize them. Voila, they are both in the cloud and in local AD. Now you don’t have to rack your brain on how to do this anymore!!
One Way to Share Data from VB.Net to PowerShell
Sometimes you need to Share Data from VB.Net to PowerShell. It is not enough to use one to help the other. They need to go back and forth between each other, kind of like a good hockey pass! Sorry I couldn’t resist I was just watching the World Juniors. I won’t be any more though….
The good news is with the right coding and scripting you can easily pass data back and forth between PowerShell and VB.net. I am going to show you an example but by any means, this is not exhausting about what you can do. With a little research and practice I am sure you will find many ways!
High Level View on How Data is Shared
The example I am going to show you builds on an earlier post I had about using PowerShell and MS Teams. Here we will use VB.Net to generate a PowerShell Script based on inputs you put into the program. It then runs the script. The PowerShell script will send its output to a text file. The VB.Net program will read the content of the file and determine if the script ran successfully or not and inform the user through the VB.Net program.
Example on Sharing Data from VB.Net to PowerShell
For the purpose of this post, I am sampling the program and script. Be mindful of error checking and security when Sharing Data from PowerShell to VB.Net.
The VB.Net Code:
Dim FILE_NAME As String = "setforwarder.ps1"
Dim i As Integer
Dim aryText(24) As String
Dim creds As String
Dim dlgr As DialogResult
Dim objShell = CreateObject("WScript.Shell")
Dim sps1 As String
Dim myPrimary As String
Dim mySecondary As String
Dim firstChar As String
Dim firstCharSec As String
myPrimary = txtPrimary.Text
mySecondary = txtSecondary.Text
If myPrimary = "" Or mySecondary = "" Then
dlgr = MsgBox("You did not specify a number as Primary and Secondary.", vbOKOnly)
Else
firstChar = myPrimary.First()
firstCharSec = mySecondary.First()
If Not IsNumeric(myPrimary) Then
dlgr = MsgBox("Primary - Only Numbers are allowed.", vbOKOnly)
ElseIf firstChar <> 1 Then
dlgr = MsgBox("Primary - The first digit must be the number 1. Please follow the format 1XXXXXXXXXX.", vbOKOnly)
ElseIf Len(myPrimary) <> 11 Then
dlgr = MsgBox("Primary - The phone number must be exactly 11 digits. Please follow the format 1XXXXXXXXXX.", vbOKOnly)
ElseIf Not IsNumeric(mySecondary) Then
dlgr = MsgBox("Secondary - Only Numbers are allowed.", vbOKOnly)
ElseIf firstCharSec <> 1 Then
dlgr = MsgBox("Secondary - The first digit must be the number 1. Please follow the format 1XXXXXXXXXX.", vbOKOnly)
ElseIf Len(mySecondary) <> 11 Then
dlgr = MsgBox("Secondary - The phone number must be exactly 11 digits. Please follow the format 1XXXXXXXXXX.", vbOKOnly)
Else
creds = ".\creds.txt"
aryText(0) = "try"
aryText(1) = "{"
aryText(2) = "# Define Credentials"
aryText(3) = "[string]$Username = '[email protected]'"
aryText(4) = "[String]$Password = Get-Content " & """" & creds & """"
aryText(5) = ""
aryText(6) = "# Convert To secure String"
aryText(7) = "[SecureString]$pass = ConvertTo-SecureString -AsPlainText $Password -Force"
aryText(8) = "$SecureString = $pass"
aryText(9) = "# Create credential Object"
aryText(10) = "$MySecureCreds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username,$SecureString"
aryText(11) = "Connect-MicrosoftTeams -Credential $MySecureCreds"
aryText(12) = ""
aryText(13) = "Set-CsUserCallingSettings -Identity [email protected] -IsForwardingEnabled $True -ForwardingType Simultaneous -ForwardingTargetType SingleTarget -ForwardingTarget " & Strings.Chr(34) & myPrimary & Strings.Chr(34)
aryText(14) = "Set-CsUserCallingSettings -Identity [email protected] -IsUnansweredEnabled $True -UnansweredDelay 00:00:30 -UnansweredTargetType singleTarget -UnansweredTarget " & mySecondary
aryText(15) = ""
aryText(16) = "Disconnect-MicrosoftTeams"
aryText(17) = "Set-Content .\Exit.txt -Value '1'"
aryText(18) = "}"
aryText(19) = "catch"
aryText(20) = "{"
aryText(21) = ""
aryText(22) = "Write-Output $_ | Set-Content .\Error.txt"
aryText(23) = "Set-Content .\Exit.txt -Value '99'"
aryText(24) = "}"
Dim objWriter As New System.IO.StreamWriter(FILE_NAME)
For i = 0 To 24
objWriter.WriteLine(aryText(i))
Next
objWriter.Close()
'Clear Error file before writing And running PS Script
Dim stream As New IO.StreamWriter(".\Error.txt", False)
'stream.WriteLine("")
stream.Close()
'Clear Exit file before writing And running PS Script
Dim stream2 As New IO.StreamWriter(".\Exit.txt", False)
'stream.WriteLine("")
stream2.Close()
Dim ErrCode As String
Dim ErrLen As Integer
ErrCode = ""
sps1 = ".\setforwarder.ps1"
objShell.Run("powershell.exe -executionpolicy unrestricted -WindowStyle Hidden -noprofile -noexit -ExecutionPolicy Bypass " + sps1)
Do Until ErrLen > 2
Threading.Thread.Sleep(1000)
ErrCode = System.IO.File.ReadAllText(".\Error.txt")
ErrLen = System.IO.File.ReadAllText(".\Exit.txt").Length
'MsgBox(ErrLen)
Loop
If ErrLen = 3 Then
MsgBox("Forwarding Has Been Confgured.")
Else
MsgBox("The PowerShell command failed with Error: " + ErrCode + Chr(13) + ".")
End If
End If
End If
The PowerShell Script
It was generated by VB.Net and Looks like this:
try
{
# Define Credentials
[string]$Username = '[email protected]'
[String]$Password = Get-Content ".\creds.txt"
# Convert To secure String
[SecureString]$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$SecureString = $pass
# Create credential Object
$MySecureCreds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username,$SecureString
Connect-MicrosoftTeams -Credential $MySecureCreds
Set-CsUserCallingSettings -Identity [email protected] -IsForwardingEnabled $True -ForwardingType Simultaneous -ForwardingTargetType SingleTarget -ForwardingTarget "<Phone Number set in VB.Net>”
Set-CsUserCallingSettings -Identity [email protected] -IsUnansweredEnabled $True -UnansweredDelay 00:00:30 -UnansweredTargetType singleTarget -UnansweredTarget <Phone Number set in VB.Net>
Disconnect-MicrosoftTeams
Set-Content .\Exit.txt -Value '1'
}
catch
{
Write-Output $_ | Set-Content .\Error.txt
Set-Content .\Exit.txt -Value '99'
} What holds this all together is Exit.txt and Error.txt that PowerShell writes to and VB.Net reads from. This gives VB.Net the info it needs to inform the user if an error occurred when running the PowerShell Script. This is one way to Share Data between VB.Net to PowerShell
The Bottom Line on Sharing Data from VB.Net to PowerShell
You may have to think a bit outside the box, but if you research enough accompanied by your programming and scripting skills, you will be able to share data from VB.Net to PowerShell. I know it has helped me with my day-to-day M365 administration tasks. It will help you!