Recently Microsoft has introduced a conditional access policy which is applied to all Azure AD administrators. More specifically, if this policy is applied, the following user roles are enforced to use MFA, even if their MFA status is set to disabled via the Office365 admin portal:
- Global Administrator
- SharePoint Administrator
- Exchange Administrator
- Conditional Access Administrator
- Security Administrator
- Helpdesk Administrator/Password Administrator
- Billing Administrator
- User Administrator
Configuring the above policy can be carried out via the Azure AD management portal: https://aad.portal.azure.com. Follow the steps below to disable the conditional access policy and therefore disable MFA for Azure AD administrators:
- Navigate to Azure AD portal –> All services
- Click on Azure AD conditional access
- Click on the Baseline policy: Require MFA for Admins policy.
Disable the policy.