Ensure 'Per-user MFA' is disabled


Legacy per-user Multi-Factor Authentication (MFA) can be configured to require individual users to provide multiple authentication factors, such as passwords and additional verification codes, to access their accounts. It was introduced in earlier versions of Office 365, prior to the more comprehensive implementation of Conditional Access (CA).


Both security defaults and conditional access with security defaults turned off are not compatible with per-user multi-factor authentication (MFA), which can lead to undesirable user authentication states. The CIS Microsoft 365 Benchmark explicitly employs Conditional Access for MFA as an enhancement over security defaults and as a replacement for the outdated per-user MFA. To ensure a consistent authentication state disable per-user MFA on all accounts.


Accounts using per-user MFA will need to be migrated to use CA.

Prior to disabling per-user MFA the organization must be prepared to implement conditional access MFA to avoid security gaps and allow for a smooth transition. This will help ensure relevant accounts are covered by MFA during the change phase from disabling per-user MFA to enabling CA MFA. Section 5.2.2 in this document covers creating of a CA rule for both administrators and all users in the tenant.

Microsoft has detailed documentation on migrating from per-user MFA including a PowerShell script titled Convert users from per-user MFA to Conditional Access based MFA

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Disable per-user MFA using the UI:

Navigate to Microsoft Entra admin center https://entra.microsoft.com/.

Click to expand Identity > Users select All users.

Click on Per-user MFA on the top row.

Click the empty box next to Display Name to select all accounts.

On the far right under quick steps click Disable.

Default Value:


See Also


Item Details


References: 800-53|IA-2(1), 800-53|IA-2(2)

Plugin: microsoft_azure

Control ID: ccb6148c8150cbb3bf0b39ef360abce2bce9921c516320febc43ca76617131db