This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 56.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
We are completing a migration away from per-user MFA to conditional access-enforced MFA for all users. As we now have a policy in place that enforces MFA for all users, I'd like to turn off the Microsoft-managed "Multifactor authentication for per-user multifactor authentication users" policy.
Unfortunately, when I try to disable the policy, I receive the following error:
"Object id(s) {list of object ids} are invalid user object(s). Remove invalid user id(s) from 'conditions:users' to resolve this error."
I have searched for some of the object IDs but have been unable to find them, so suspect they are accounts that have been deleted.
The policy also contains users who no longer have a per-user policy enforced, so it doesn't look like the policy is being automatically maintained or updated.
As this is a managed policy, I can't edit the user list from either the browser or PowerShell - is there any other way to disable or remove this policy?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 89%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHE%3C/text%3E%3C/svg%3E)
Hi @ Mike Key
Thank you for reaching out Microsoft Q&A.
I understand that you're encountering an issue while migrating from per-user MFA to Conditional Access-enforced MFA for all users. When attempting to disable the policy, you're seeing the following error:
"Object id(s) {list of object ids} are invalid user object(s). Remove invalid user id(s) from 'conditions: users' to resolve this error."
This error is likely caused by the policy including user object IDs that have been deleted. Since this is a Microsoft-managed policy, you can't rename or delete any Microsoft-managed policies. However, an admin, you do have the ability to modify the policy's state (On, Off, or Report-only) and manage the excluded identities (Users, Groups, and Roles) within the policy.
As mentioned in the screenshot below. Can you try to turn off the policy using edit option under excluded identities section.
For additional information refer this link: Secure your resources with Microsoft-managed Conditional Access policies - Microsoft Entra ID | Microsoft Learn
Hope this helps. Do let us know if you have any further queries.
Regards,
Harshitha Eligeti
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 82%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEW%3C/text%3E%3C/svg%3E)
We have the exact same problem with a tenant I'm managing. I was told directly by azure support there is no way to modify the included users list and that there was nothing they could do about it.
And directly addressing the answer given: you are right we can modify these to be on, off, or report only. HOWEVER: the error with the invalid object ids in the user list is preventing us from doing so.
If as Azure support claims, there is no way to now turn these policies off, this is an absolutely unacceptable answer and needs to be fixed.
Hello @Edward Walerius
I Understand that you were told directly by azure support there is no way to modify the included users list. Administrators have the ability to Edit the State (On, Off, or Report-only) and the Excluded identities (Users, Groups, and Roles) in the policy.
These Microsoft-managed policies allow administrators to make simple modifications like excluding users or turning them from report-only mode to on or off. Organizations can't rename or delete any Microsoft-managed policies. As Administrators get more comfortable with Conditional Access policy, they might choose to duplicate the policy to make custom versions.
Best Regards,
Harshitha Eligeti.
You are right we absolutely can edit those things. The problem is we can't save changes to the Microsoft managed policy even for the things we SHOULD be able to change because of the error with the included users. This effectively locks it into a permanently ON state with absolutely no way to change it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 56.00000000000001%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
We have the exact same problem. A user that was deleted ages ago still somehow is linked to the policy and therefore it cant be disabled. This needs to be fixed as soon as possible.
Hi @Mike Key
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Hi @Mike Key
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 89%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGV%3C/text%3E%3C/svg%3E)
We have the same issue. Unfortunately, disabling the per-user MFA for specific users doesn't help, they continue to be part of the MS managed policy. We suspect that in the back end the same error occurs when it tries and propagates the change for specific users to the policy.
Moreover, this policy interferes with External Authentication Methods (as authentication strengths doesn't let EAM options show up for the user), so we need a solution asap.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 77%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBB%3C/text%3E%3C/svg%3E)
Same issue here. Can't edit the policy to disable it after having made a duplicate due to the presence of deleted users in the Microsoft Managed policy.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 4%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
Same issue here, causing us major headaches.
We got a response from our Microsoft support person:
Just an update from the engineering ticket this morning, the fix has been checked in. It may take up to two weeks during the roll out to mitigate the issue.
Hi @Harshitha Eligeti ,
Just got back from annual leave and updating the policy as you suggested (by selecting "Edit" under the "Excluded Identities" section) gives the same result.
I note there's now an answer implying that a fix is on the way - do you know if this fix will apply to all tenants?
Many thanks,
Mike
That is what they told us, that the fix is rolling out to all tenants (hence the 2 weeks potential wait). We haven't seen it fixed in our tenant yet, but I can update here if that happens.
Hi @Mike Key •
I have checked with my internal team regarding this issue, and it has been observed across multiple tenants. The issue has been resolved, and the changes will be rolled out across all tenants within two weeks.
Best Regards,
Harshitha Eligeti.