Let’s be real for a second. Security is great until it isn’t. We’ve all been there—standing in a grocery store or sitting in a high-stakes meeting, trying to log into Outlook, only to realize your phone is dead, or worse, you’ve lost that tiny SIM card while traveling. Suddenly, that "impenetrable fortress" of security feels like a cage you're locked out of. If you are looking to disable two step verification office 365, you probably have a very specific, likely frustrating reason.
Maybe you're managing a legacy printer that doesn't understand modern "Modern Authentication." Or perhaps you're transitioning a team to a third-party identity provider like Okta or Duo and the native Microsoft prompts are just getting in the way. Whatever the case, Microsoft doesn't make it easy to find the "off" switch. They want you stayed buckled in for safety. But sometimes, you just need the door open.
👉 See also: Why Gang of 4 Design Patterns Still Matter (and Where They Fail)
The Reality of Multi-Factor Authentication (MFA) in 2026
Security experts like those at the Cybersecurity & Infrastructure Security Agency (CISA) will tell you that MFA prevents about 99% of bulk phishing attacks. That’s a massive number. It’s why Microsoft pushes "Security Defaults" so hard on every new tenant. Honestly, if you disable this for your primary admin account without a backup plan, you’re basically leaving your front door wide open in a neighborhood that never sleeps.
But there are edge cases. Real ones.
I’ve seen IT admins struggle with service accounts that need to run automated scripts. If that script hits a 2FA wall, the automation breaks. The business stops. In those moments, knowing how to disable two step verification office 365 isn't just a "how-to" task; it's a "save the day" move.
Check Your Permissions First
You can't just wiggle a setting if you're a standard user. You need the big keys. Specifically, you need to be a Global Administrator or a Privileged Role Administrator. If you aren’t one of those, you’re going to hit a brick wall immediately. Microsoft's Entra ID (formerly Azure AD) is the brain behind all of this.
Turning Off Security Defaults: The Heavy Lifting
Most modern Microsoft 365 tenants come with something called "Security Defaults" enabled. This is a "one size fits all" setting that forces MFA on everyone. You can't selectively disable 2FA for one person if this is on. It's all or nothing.
To kill this, you have to head into the Microsoft Entra admin center. Once you're in there, you look for the "Properties" section of your tenant. Down at the bottom, there’s a tiny link that says "Manage Security Defaults."
Switching that toggle to "Disabled" feels a bit like turning off the alarms in a heist movie. Microsoft will ask you why. They’ll give you a list of reasons, and honestly, "My organization is using Conditional Access" is the most professional answer to give them, even if the real reason is "This is driving me crazy."
Once Security Defaults are dead, the gates are open. But you aren't done yet.
The Per-User MFA Rabbit Hole
Even with defaults off, some users might still be stuck in the 2FA loop. This usually happens because of the "Per-User MFA" settings—a legacy system that just won't die.
- Go to the active users list in the Microsoft 365 Admin Center.
- Look for the "Multi-factor authentication" button in the top nav bar. It usually opens a new, very old-looking tab.
- Find the person who is complaining about the prompts.
- Select them and look at the "Quick steps" on the right.
- Hit "Disable."
It’s fast. It’s effective. It’s also a bit dangerous if you do it to the wrong person.
When Conditional Access Complicates Everything
If you’re in a larger company, you probably aren't using Security Defaults. You’re likely using Conditional Access policies. These are "If/Then" rules. If Bob is in the office, then he doesn't need MFA. If Bob is at a Starbucks in Paris, then he definitely does.
To disable two step verification office 365 in this environment, you have to find the specific policy targeting that user. Sometimes it’s a policy titled "Require MFA for all users." You’ll need to add an "Exclusion."
Exclusions are powerful. They are also the number one way hackers get in. They look for that one account—the "service_account_v2"—that some tired admin excluded from MFA three years ago and forgot about. If you use an exclusion, please, for the love of your Sunday afternoon, use a long, complex, randomly generated password.
The "App Password" Alternative
Wait. Before you totally kill the security, consider if an App Password works.
If you're trying to disable 2FA because an old version of Outlook or a POP3 mail client can't handle the pop-up, App Passwords are your best friend. You keep MFA on for the account, but you generate a unique, 16-character string for that specific "dumb" app. It bypasses the 2FA check just for that one connection.
It’s the middle ground. The compromise. It keeps the "secure" in security without the headache.
The Risks Nobody Mentions
Let’s talk about the elephant in the room. Disabling MFA is a risk. According to Microsoft's own 2023 Digital Defense Report, password-based attacks have skyrocketed. We aren't talking about hackers guessing "P@ssword123" anymore. We are talking about massive botnets trying billions of combinations a second.
If you disable 2FA, you are relying entirely on the strength of the password.
I’ve seen companies lose entire SharePoint libraries to ransomware because one account—just one—had 2FA turned off so a temporary contractor could "get to work faster." The contractor’s home PC was infected, the password was scraped, and the rest is history.
Why the "Remember Me" Option Fails
A lot of people think that clicking "Don't ask again for 90 days" is the same as disabling it. It’s not. That creates a persistent cookie on your browser. If you clear your cache, or if your IT department has a policy that wipes sessions every 24 hours, you're back to square one.
Some admins try to "fix" the 2FA annoyance by extending these session lifetimes. It helps, but it’s a band-aid.
Navigating the Entra ID Interface Changes
Microsoft loves moving things. By the time you read this, the "Azure" branding might be even further buried under the "Entra" name.
If you can't find the settings, use the search bar at the top of the admin portal. Type "MFA" or "Conditional Access." Don't waste twenty minutes clicking through the sidebar. The UI is a labyrinth designed by people who love nested menus.
Actionable Steps to Take Right Now
If you've decided that you absolutely must disable two step verification office 365, do it systematically so you don't break your entire environment.
- Audit first. Run a report in the Microsoft 365 admin center to see who is actually using MFA and who is "Capable" but not "Enrolled." You might find the problem is just a bad enrollment, not the 2FA itself.
- Check for "Security Defaults." If this is on, no individual settings will work. Turn it off only if you have a plan to replace it with custom Conditional Access policies.
- Use Service Principals. If you are disabling 2FA for a script or an app, stop. Use a Service Principal or a Managed Identity instead. These are designed for non-human logins and don't require MFA or standard passwords. It's the "adult" way to handle automation.
- Isolate the account. If one user must have 2FA off, strip their admin roles. Never, ever have an account with no MFA that also has Global Admin rights. That is an invitation for disaster.
- Document the "Why." Put a note in the user's description field: "MFA disabled on 1/15/2026 by [Name] for [Specific Reason]." You will thank yourself in six months when you're doing a security audit and wonder why that account is wide open.
Disabling security is always a trade-off. You're trading protection for convenience or compatibility. Just make sure you know exactly what you're giving up before you hit that "Save" button.
Once you’ve modified the settings, have the user sign out of all sessions. This forces the system to re-evaluate their login state. Usually, within 15 to 30 minutes, the changes propagate through Microsoft’s global servers, and they should be able to log in with just their password. If they’re still getting prompted, check for a cached "Modern Auth" token on their local machine; sometimes you have to clear the Windows Credential Manager or the "Work or School Account" settings in the Windows 10/11 settings menu to truly get a fresh start.