Error Disabling Microsoft Managed MFA Policy due to Invalid User Ids

Mike Key 0 Reputation points
2024-12-24T09:57:56.24+00:00

We are completing a migration away from per-user MFA to conditional access-enforced MFA for all users. As we now have a policy in place that enforces MFA for all users, I'd like to turn off the Microsoft-managed "Multifactor authentication for per-user multifactor authentication users" policy.

Unfortunately, when I try to disable the policy, I receive the following error:
"Object id(s) {list of object ids} are invalid user object(s). Remove invalid user id(s) from 'conditions:users' to resolve this error."

I have searched for some of the object IDs but have been unable to find them, so suspect they are accounts that have been deleted.

The policy also contains users who no longer have a per-user policy enforced, so it doesn't look like the policy is being automatically maintained or updated.

As this is a managed policy, I can't edit the user list from either the browser or PowerShell - is there any other way to disable or remove this policy?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,644 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.