• Removing MFA


    ISSUE 19.17 • 2022-04-25 Look for our special issue on Monday, May 2! MICROSOFT 365 By Will Fastie How many times have articles in this newsletter tol
    [See the full post at: Removing MFA]

    7 users thanked author for this post.
    Viewing 15 reply threads
    • #2441716

      I wish I had seen this two weeks ago. As of Friday, I know far more about MFA on Azure and Exchange than I ever wanted to. My wife had exactly the same problem described in the article, yet I did not, despite the two accounts being set up on the same domain at pretty much the same time.

      After going round loops of enter user name, enter password, your account needs more verification, use Authenticator, can’t use Authenticator use an alternative, enter the code from Authenticator, … I finally got the answer you found.

      Here’s a question, though, how can MFA be set to use Authenticator when the account has never been set up on Authenticator? Never got an answer to that (and hopefully now I don’t need to).

      2 users thanked author for this post.
    • #2441733

      how can MFA be set to use Authenticator when the account has never been set up on Authenticator?

      Good question. I should have an authoritative answer for you because that’s exactly what I did. The problem is that I stumbled and bumbled into it because at some point in the process I said “Yes” to a question when I should have said “No.” Then I was in a “What the heck happened?” mode and more worried about turning it off than on.

      However, because turning off “Enable Security Defaults” resolved my little accidental crisis, I assume that turning it back on will cause 365 to start asking for a second authentication factor.

      1 user thanked author for this post.
    • #2441753

      If only you’d published this a week ago I would have a few less gray hairs at the moment. My client had been hosting his Website with GoDaddy for many years and they used their own internal email system, up until recently when some genius decided that they didn’t want to mess with it anymore and compelled him to go to Office 365 for his domain email. And on top of that it “backfed” through his Gmail account with his unique business name and email address. After a total of about 8 hours and multiple GoDaddy tech support sessions I finally managed to educate myself just enough to pull the irons out of the fire so he could once again start sending & receiving his company email via Gmail and through his GoDaddy domain name. What a bloody nightmare in the meantime though! I literally had to self-educate myself gleaning what little hints I could manage along the way from the GoDaddy tech support people, who themselves did not even have a firm grasp about how to fix the problem. It was 1 of the most frustrating experiences I’ve ever had, made more maddening by the fact that this guy’s email had always worked flawlessly in the past, when GoDaddy handled the email administration and didn’t try to pawn it off to Microsoft to take over the chores. What a gigantic pain-in-the-neck! What goofball comes up with these things, anyway?

      2 users thanked author for this post.
      • #2441817

        Godaddy realized that hosting email and securing email is near impossible for them to do.

        Susan Bradley Patch Lady/Prudent patcher

        2 users thanked author for this post.
      • #2441854

        I have had an absolute nightmare with 123-Reg in the UK, which I believe is at least part-owned by GoDaddy. I had been using it for domain name registration for many years with no problems at all. I added mail forwarding for myself and my wife, in both cases to our GMail addresses. This worked fine for years.

        A few weeks ago, my wife was told that many of her messages were ending up in Spam and 123-Reg recommended we moved from forwarding to hosting for her. This was with 123-Reg mail servers (so probably the Starfield webmail Will Fastie mentions). All was well for a couple of weeks then she was told emails were still going to spam and 123-Reg recommended moving her hosting to Microsoft 365. I specifically asked if this would have any effect on any other email addresses on the domain and was told it would not. This was a lie, as soon as my wife’s email was moved to M365 the forwarding was turned off, with no notice, and it took them four days to sort it by moving me to M365 as well. If they had mentioned this at the time I wouldn’t have had an issue with saying to migrate us both. The net effect was that I lost all those emails. The less than useful response from 123-Reg was to ask people to send me emails again. Right, and I would know who had sent me mail how, exactly?

        At least my lost emails were personal, my wife uses her email for business.

        Anyway, the order of the day now is to move from 123-Reg. I have already changed my 5-* review to 1-*.

        2 users thanked author for this post.
      • #2441892

        I have one client who was using GoDaddy before I took over the account. I also have many accounts hosted through Microsoft themselves. I can catagorically state that GoDaddy does not have 3rd tier tech support for Office 365. Their techs are only level 2 at best. It is the worst tech support I’ve encountered and if it wasn’t for the fact that it would be much too hard to move the Office 365 account and SharePoint environments entirely I would do it tomorrow.  I have never encountered a worse system for administrating Office 365. I have hosted with HostPapa and been very happy with their tech support. They do not offer MFA for their logins though and I have told them that I might move my hosting if they don’t implement it. I can’t trust a hosting company that doesn’t offer it.

        2 users thanked author for this post.
    • #2441754

      Great article will save it for future use.

      My love for microsoft’s antics grows thinner by the day

      1 user thanked author for this post.
    • #2441774

      Will, Consider learning how to reduce the number of prompts while maintaining MFA. You can get them down to near zero for people that are rather stationary. For those that are more mobile, every couple of weeks. Even with multiple accounts in multiple domains. No one loves MFA more than they love their password but in todays world there’s no security without it.

      1 user thanked author for this post.
    • #2441790

      Great article! Thanks for the clear explanation of how to find this. I’ve been wrestling with this myself but had not yet found the answer. Now I have it! And I, too, would like to know how Authenticator gets involved.

      1 user thanked author for this post.
    • #2441819

      And I, too, would like to know how Authenticator gets involved.

      When one decides to turn on security (which is clearly what I did, accidental or not), two options are offered (I think there is a third if an individual does not have a smartphone). The two are text messages and the Microsoft Authenticator app. So Authenticator gets involved by user choice.

      3 users thanked author for this post.
      • #2441855

        The only issue that I have with that is that it forces Authenticator but doesn’t force you to set it up, so you can end up with the situation that Authenticator is the only allowed MFA tool, but you can’t use it because you haven’t set up an account on it, and you can’t set up the account because you can’t log in to the account because you can’t pass MFA because, …

        2 users thanked author for this post.
    • #2441825

      … hosting his Website with GoDaddy for many years and they used their own internal email system …

      When Bob Parsons sold GoDaddy, the new owners moved with relative speed to redo the entire hosting system. That system had been built by Starfield Technologies, a separate Parsons company that built out all of GoDaddy’s original hosting environment. The new owners converted to cPanel to provision hosting.

      But one thing they left intact was the Starfield email system. There were (are) a lot of problems with that code, which is still in place to this day. I think GoDaddy realizes this is something it needs to clean up.

      Converting to 365 is not the solution, however. The backend of any hosting system must be able to send out an email; it’s a fundamental requirement. You don’t use 365 for that.

      Those who followed my earlier writings here about Web development know that I recommend GoDaddy very highly for domain name registration, which it does very well. GoDaddy’s hosting environment is pretty good, but I do not recommend it for two reasons, one of which is the Starfield email service.

      2 users thanked author for this post.
    • #2441858

      “multi-factor authentication…can be extremely annoying for frequently used systems and services, such as email.”

      Yes, using multi-factor authentication (MFA/2FA), can be a major pain!

      However, for any email account that can be accessed from the web, I don’t see any other secure choice, than to use MFA. The reason for this, is most web passwords can be reset using your email account!! Once your email account is breached, most associated web accounts can have their passwords reset.

      However, there are workarounds to keep web based mail secure and avoid frequent MFA prompts. One technique sometimes supported is “device remembered”. You only have to handle the MFA prompt once and subsequently, that device is remembered. This works securely when the device itself is secured through other means.

      Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

    • #2441915

      Will. A couple of things:

      1. I do not do consulting work anymore for any client that refuses to do MFA. It’s a condition of my work. Why? I could be liable as a consultant. It’s easier to say, “Your bank makes you do it, and so do I. It’s your data but my liability.” See more on this at the bottom of this thread below.
      2. Your issues with the Microsoft personal account being different MFA settings are valid, but to be clear, there is a very clear screen in the Microsoft Consumer account settings. It seems to me, as a home admin as well, to be quite easy to use.
        1. Consumer-MFA-Outlook
      3. In the business admin settings I don’t see what you see in User admin settings. This is the Admin screen as it looks to me. MFA is SECOND in the listing.


      Screen 1

      Also, I do not have to use MFA to log into outlook every time I use it. It remembers the credentials. I only do it the first time. BUT the Admin can make the MFA credentials need revalidation on the timeframe of their choice. Look at the AD admin panel for that.

      Next: Here is the next screen I see, cut down to the key elements: enforced or not and managing settings.


      Screen 2

      and you then have these choices:


      Screen 3

      This is what you can do from the USER ADMIN screens.

      If I login into Azure AD  User settings I see these options.

      This takes you to the same (?) page you would get into in the second screen above.

      If I Don’t go to that screen I can click on any user and get their Profile Page (too complex to show here).

      But: down that screen is a choice on Authentication Methods


      And once there, you can have the user re-register. You don’t have to wade through all this to re-register, just login as admin, go to the Azure AD admin panel, go to users and change these settings to re-register the person. You can also turn MFA on and off there. Not that hard for an admin.


      As to your Security Defaults issue. Here’s MSFT official docs. I agree that your client might not want to do MFA, but remind them of the following from below:

      More than 99.9% of these identity-related attacks are stopped by using multi-factor authentication (MFA) and blocking legacy authentication.

      Microsoft is making security defaults available to everyone, because managing security can be difficult. Identity-related attacks like password spray, replay, and phishing are common in today’s environment. More than 99.9% of these identity-related attacks are stopped by using multi-factor authentication (MFA) and blocking legacy authentication. The goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.

      Security defaults make it easier to help protect your organization from these identity-related attacks with preconfigured security settings:


      1 user thanked author for this post.
    • #2442090

      … there is a very clear screen in the Microsoft Consumer account settings.

      You are right. I have no recollection of ever looking at that Security page, perhaps because I haven’t touched the account settings for a very long time. (I noticed today that my account still thinks I have a Windows 8 phone.)

      MFA is SECOND in the listing.

      As I mentioned, it depends on the size of one’s browser window. I knew the entry was there, but it’s possible that a given user would not see that setting and not click the ellipsis. That’s why I mentioned it. (I was also deliberately using a very narrow window so that my screen captures were readable.)

      It’s your data but my liability.

      I’m not sure about that. I’m checking, but in general I’d say that a client’s mischief is not on me unless I actively contributed.

      • #2442117

        Yes, while technically we might win a legal battle over this issue with a pissed off client, I choose to avoid it altogether to avoid paying a lawyer to find out who is right. If it wasn’t clearly documented in advance they could claim they hired you as a ‘security expert’ to give them the right advice. I build the phrase into my contracts. I have only had to turn down one client so far. All of my clients had their email hacked before I arrived, none have since MFA. It works, as we both know! Thanks for your articles. I always read them.

        • #2442120

          The issue Will first reported, and that also happened to me, is that MFA is turned on by default using Authenticator, but without forcing you to configure Authenticator. So you try to log in and get told to check Authenticator. But you haven’t set up Authenticator so you say “I don’t have access to Authenticator” and you get two options – both of which require Authenticator. You end up in a loop you can’t (as a user) get out of and have to get an Admin involved.

          1 user thanked author for this post.
          • #2442124

            Hi Keith. I might be misunderstanding you, (posting is so inadequate a communication channel…). I have installed over 100 MFA clients in the last year, and none of them start by needing Authenticator. I suppose if you mean that you choose to use Authenticator when you first log in and then find you aren’t already setup with Authenticator that you would be correct, you would need to get an admin involved. But there is no forcing of anyone to use Authenticator. The majority of my clients use txt messaging on a phone. I might be the only one using authenticator out of those 100. But maybe something changed in the last few days. I just setup a couple of people the other day.

            • #2442172

              Hi 8string (guitar or double-strung bass?)

              It’s possible it’s the default for new tenants on the installation I used. I’m not an administrator and have no desire to be, but I am sufficiently technical to be able to dig my way through the rat’s nest of documentation and settings in unexpected places. In this case, it was a setting in Azure, which was something I certainly didn’t touch so must have been either default or set as such by 123-Reg.

            • #2442177

              Understood. I don’t doubt that what you said was true. It’s just odd that I’ve never seen MFA forced using Authenticator rather than it just be a choice for the user. If I remember right, it could be that it’s recommended at setup so the user thinks, “oh sure, why not!”

              Anyway best of luck!

              8string (mandolin)

              1 user thanked author for this post.
    • #2442134

      Now I can explain this rats nest to my fellow board members..

      Knut (Norway)
      Part time admin for 10 users EOP now Plan 3 (until next plan…)

      • #2442185

        Ha! No, I don’t think telling the details of *any* admin duties other than adding and deleting users on any platform to a board would be a fruitful conversation.

    • #2442369

      I don’t like Multi Factor Authentication for any of my accounts.  My preference is to have a different User ID for every account and a unique password for each account.  If no one knows my User ID, they don’t know what account to attempt to access.  I consider this to be my own form of MFA. What interferes with this approach is too many accounts force me to use my email address as my User ID.  I interpret this as laziness on the part of whoever designed the access to that account.  The email address should simply be stored in the database for the account and not used as the User ID, because the email address, by necessity, is known publicly.  None of my financial accounts use my email address as the User ID.

      • #2442507

        Hope you are using 16 character pw’s.


      • #2442521

        Something to ponder as you take the risk of not using MFA and getting your password hacked.  Clearly MSFT feels that using the email address is ok if you are using MFA. While not ideal it is used by Google as well. And as I mentioned on a thread above, all of my clients using passwords were hacked prior to my taking over their accounts as admin. None have been since implementing MFA over the last three years. I’m convinced and so are they that it works and works well.


        1 user thanked author for this post.
    • #2442464

      force me to use my email address as my User ID

      That with high probability has been harvested already.

    • #2442499

      MFA is a mutha on it’s own. But for them to bury it so deep in the settings… come ON!

      Hopefully they’ll improve the interface. (OK, stop laughing, but really.)

      What I’d worry about is that  ‘enable security defaults.’ Who knows what other customizations you’ve made – intentionally or otherwise, and that sounds like you’re resetting to the original. Scary.

    • #2455114

      I’m behind in my newsletters. Please forgive the necro, but I felt i had to chime in regarding this article.

      I completely agree that MS handles M365 MFA incredibly poorly in many ways. Maybe in every way. I strongly encourage 3rd party MFA providers like Duo or Okta. Tho these are elephants of their own, they offer incredible granularity in how and when MFA prompts are presented and received.

      For example, AzureAD MFA does not allow disabling authentication methods for some users but not others. For example, it’s not currently possible to restrict phone-based auth methods (SMS/call) to an individual or group- it’s all or nothing. Since SMS is widely understood as no longer an acceptable form of MFA, this means turning it off has an impact on users that do not have smart phones. Who doesn’t have a smart phone in 2022, one might ask? While only a small % of our corporate staff don’t, that goes way up for our manufacturing and warehousing sites.

      And the conditional access controls of AzureAD MFA are rather limited, too, but at least they exist.

      Finally, to the point of my post-

      MFA is no longer optional for businesses (i’d argue the same for personal, too). It should be considered absolutely mandatory for all businesses. Once user onboarding is behind you, well-crafted MFA policies will be invisible to most employees most of the time.

      Is it simple to implement for smaller orgs? No, but the capability exists. And providing some personal user onboarding assistance may be required. Even basic MFA polices don’t have to be invasive- you can determine how frequently to be prompted and how long the authentication token lasts (similar to a cookie).

      I believe Duo MFA is free for up to 10 users (with limitations). And Azure AD MFA and paid Duo and Okta subscriptions, you have conditional access policies to ease MFA for more predictable, generally safer login circumstances while scrutinizing logins considered riskier.

      • Work from the same corporate site every day?
        • Prompted for MFA once a week (or 2, or 4!)
      • Work from home every day?
        • Prompted once every 24 hours
      • Work from random remote sites?
        • Are you in an area (country/state/region) where your org has a footprint? Prompted every 24 hours
        • Are you traveling abroad, say to a customer’s site, for which your org does not have a footprint? Prompted with every login.
      • Have users without smart phones?
        • Enable phone call and email authentication methods
      • Restrict logins to or from certain areas.
        • Only have on-site employees that never work off-site? Restrict logins to site IP addresses.
        • Worried about phishing attacks or other malicious login attempts from Russia, Iran, or China? Block entire countries or regions by geolocation.

      And how does the prompt work? A simple “was this you? tap Yes to confirm” mobile notification. 1-2 taps max, most of the time. Barely an inconvenience. If an 80 year old CEO of a manufacturing company, openly hostile to technology, can do it without any issues or complaints, IMO so can everyone else.

      Oh and by the way- good look renewing your cybersecurity insurance policy without MFA! Exactly 100% of underwriters require MFA . Not having it is called a non-starter!

      Personally, i think it’s ethically wrong to provide IT services to an organization without requiring them to use MFA for at least their email platform, and wouldn’t accept a client that was so opposed to it. I know the author’s circumstance isn’t necessarily that straight-forward since it was an accident. You certainly want to plan this sort of thing and receive buy-in from the person signing your checks or invoices. I would, though, make it a condition for me to continue providing them with IT services.

    Viewing 15 reply threads
    Reply To: Removing MFA

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: