Share via

Unable to Bypass MFA or Disable Security Defaults on Microsoft 365 A1 (Phase 1 MFA Enforced)

Rahat Anowar 0 Reputation points
2025-12-06T12:54:58.76+00:00

Hello,

I need clarification regarding MFA enforcement behavior on our Microsoft 365 A1 tenant.

After reviewing our configuration, we have confirmed that MFA bypass is not possible for users under our current Microsoft 365 A1 license. It appears that Microsoft has enforced “Phase 1 MFA” for A1 tenants, which requires all users to complete MFA when signing in to portals such as Azure Portal, Entra Admin Center, Intune, and M365 Admin Center.

Even though I am a Global Administrator, I am unable to:

Disable Security Defaults

Use Conditional Access to create exclusions

Create an MFA bypass group

When trying to access Conditional Access, we receive the following licensing message:

“You do not have an Azure AD P1 or P2 license to start using Conditional Access. You can activate a free trial to test out premium features.”

From what I understand, only Azure AD Premium P1/P2, Microsoft 365 A3, A5, or E5 licenses include Conditional Access and allow MFA exclusions or custom MFA policies.

My Questions for Verification

  1. Is it confirmed that Microsoft 365 A1 tenants are now under mandatory Phase 1 MFA enforcement?
  2. Does this mean that MFA cannot be bypassed for any A1 user, including non-admin accounts?
  3. Is it expected behavior that Global Administrators cannot disable Security Defaults under A1?
  4. Is upgrading to Azure AD Premium P1/P2 the only available solution if we want:

MFA bypass for selected users

Conditional Access policies

Ability to disable Security Defaults

Request for Solution

If there is any supported method under A1 to:

Allow specific users to sign in without MFA

Skip the MFA registration screen

Manage MFA settings without upgrading

Please advise.

Thank you.

Microsoft 365 and Office | Install, redeem, activate | For education | Windows
0 comments
Answer accepted by question author
  1. Henry-N 6,020 Reputation points Microsoft External Staff Moderator
    2025-12-06T18:16:04.9233333+00:00

    Hi @Rahat Anowar

    Thank you for posting your question in the Microsoft Q&A forum. 

    • Regarding Question 1 and 2:  Based on what I have research currently, there is no official Microsoft article stating that MFA cannot be disabled per user or that MFA is completely mandatory for all users under an A1 subscription.  What is documented is that mandatory MFA applies when accessing certain admin portals (Azure Portal, Microsoft Entra Admin Center, Intune, Microsoft 365 Admin Center). This is explained in the following article:  Plan for mandatory Microsoft Entra multifactor authentication (MFA) - Microsoft Entra ID | Microsof… 
    • Security Defaults:  Based on Microsoft’s guidance, Global Administrators should be able to disable Security Defaults if they have the appropriate admin role. There is no official article confirm that you can't disable the "Security default" feature, this is an expected behavior for A1 tenant.  Reference: Configure Security Defaults for Microsoft Entra ID - Microsoft Entra | Microsoft Learn 

    Therefore, I strongly recommend raise a support ticket with Azure/Microsoft so they reconfirm this information, and inspect further if this is a unexpected behavior.  

    Thank you again for your time and understanding. While my initial response may not resolve the issue immediately, I’d like to gather more details about your situation so I can assist you more effectively.     

    I really appreciate your patience, and I’m here to help. Looking forward to your response!         

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".      

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread     

    0 comments
Answer accepted by question author
  1. Q&A Assist
    2025-12-06T12:55:09.6066667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more
    1. Yes, it is confirmed that Microsoft 365 A1 tenants are under mandatory Phase 1 MFA enforcement. This means that all users, including non-admin accounts, are required to complete MFA when signing in to various Microsoft portals.
    2. Correct, MFA cannot be bypassed for any A1 user, including non-admin accounts, under the current enforcement.
    3. Yes, it is expected behavior that Global Administrators cannot disable Security Defaults under the A1 license. Security Defaults are enforced and cannot be disabled without the appropriate licensing.
    4. Yes, upgrading to Azure AD Premium P1 or P2 is the only available solution if you want to implement MFA bypass for selected users, create Conditional Access policies, or disable Security Defaults. Without these licenses, you will not have access to these features.

    Currently, there is no supported method under A1 to allow specific users to sign in without MFA, skip the MFA registration screen, or manage MFA settings without upgrading to a higher license.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rahat Anowar 0 Reputation points
    2025-12-06T13:02:33.98+00:00

    Can i disable Security Default BY A1 subscription?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.