![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 1%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Microsoft Entra Private Access
Microsoft Entra Private Access provides secure and deep identity-aware, Zero Trust network access to all private apps and resources.
85 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello @DmitryP,
Thank you for posting your query on Microsoft Q&A.
I understand that there is a default MFA policy in Conditional Access that manages MFA for users in your tenant. The question is: how can it be fully disabled? You have turned it off and added an exclusion for a group of users, but MFA is still being required for the user during sign-in.
Please note that even though if you have turned off the CA policy and also excluded the user from the CA policy, there are multiple sources through which MFA can be triggered for the users to sign in to the application. Below are the different sources of MFA.
1.Per-User MFA.
2.Conditional Access policies.
3.Security Defaults.
4.Identity Protection(MFA registration policy).
1.Per-User MFA
Please check if the Per-User MFA is enabled or not for the user by following the below mentioned steps.
View the status for a user
The per-user MFA administration experience in the Microsoft Entra admin center is recently improved. To view and manage user states, complete the following steps:
- Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
- Browse to Identity > Users > All users.
- Select a user account, and then select Per-user MFA.
- Please refer to the below Screenshot for your reference.
Search for the affected user and check the Per-user MFA status. If it is enabled, please select Disable MFA as shown in the below Screenshot for your reference.
2.Conditional Access policies
Please note that even though if you have disabled the default MFA based CA policy in your tenant, there might be other CA policies in your tenant where the affected user is part of through which the user is getting prompted to complete MFA.
You can verify whether any other CA policy is getting applied to complete MFA by following the below mentioned steps.
To view the sign-in logs from the Microsoft Entra admin center:
- Sign in to the Microsoft Entra admin center as at least a Reports Reader.
- Go to Users -> All Users -> Select the affected user and select Sign-in logs and check for the sign ins where the Authentication requirement is showing as Multifactor Authentication. Please refer to the below Screenshot for your reference.
3.If any of the sign ins where the Authentication requirement is showing as Multifactor Authentication, please select that sign in and navigate to Conditional Access tab to check which CA is policy is getting applied for that sign in. Please refer to the below Screenshot for your reference.
3. Security Defaults
Please note that if there is no CA policy enabled in your tenant, then please check if the Security Defaults is enabled in your tenant by following the below mentioned steps.
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Identity > Overview > Properties.
- Select Manage security defaults.
- Check if Security Defaults is enabled or not.
Please note that this Security Defaults is tenant wide settings and it will be applicable to all the users in your tenant.
If Security Defaults is enabled in your tenant, then all the users in your tenant are getting MFA through Security Defaults.
For additional details, please refer to the below document for your reference.
Providing a default level of security in Microsoft Entra ID - Microsoft Entra | Microsoft Learn
4.Identity Protection(Multifactor Authentication Registration policy)
Please check if you have enabled Multi factor Authentication Registration policy from Identity Protection by following the below mentioned steps.
- Sign in to the Microsoft Entra admin center as at least a Security Administrator.
- Browse to Protection > Identity Protection > Multifactor authentication registration policy.
- Please check whether the affected user is part of that policy and also check whether the policy is enabled or not from Policy enforcement section.
For additional details, please refer to the below document for your reference.
Configure the MFA registration policy - Microsoft Entra ID Protection | Microsoft Learn
As I have mentioned above, please check through what source of MFA user is getting prompted to complete MFA and disable that particular source of MFA accordingly.
I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".