Skip to main content

Articles in this section

See more
Print

Excluding Microsoft 365 connection account from Azure AD Conditional Access Policies

  • Updated

Summary: Microsoft 365 connection account should be excluded from conditional access policies, including Baseline policies custom policies, and per-user MFA policies.

Applies to: Cayosoft Administrator 6.4.0 or later

ID: KB20200305-1

Overview

Microsoft 365 connection accounts should be excluded from conditional access policies, including Baseline policies custom policies, and per-user MFA policies. 

Note: You can use the Trusted IPs feature that bypasses two-step verification for users who sign in from the company intranet. For more information, please see this Microsoft article MFA service settings - Trusted IPs.

Important: It is generally impossible to remove Multi-Factor Authentication (MFA) from the default Global Admin account, which is registered to the tenant for security reasons. It is recommended to create a separate account which is used only in the specific Cayosoft Administrator installation, and it should be excluded from Conditional Access Policies (CAP) that enforce MFA and from per-user MFA.

How to exclude a user from a Conditional Access policies

  1. Sign in to the Microsoft Entra Admin Center using the Microsoft 365 connection account.
  2. In the Microsoft Entra admin center, in the Protection section, click Conditional Access and select Policies.
    MFAConditionalAccessNav.png
  3. Check configured policies and exclude Microsoft 365 connection account from all access policies, including Baseline and custom policies.
    Example for the 'Require multifactor authentication for all users' policy:
    1. Click the name of the policy you want the user account to be excluded from. In our case, that is the 'Require multifactor authentication for all users' link.
      MFAConditionalAccessEditPolicy.png
    2. In the policy properties, select Users.
    3. Locate the Exclude tab.
    4. Select the Users and groups checkbox.
    5. Click the X users link.
    6. In the Select excluded users and groups dialog, search for a user that needs to be excluded from the policy scope.
      MFAConditionalAccessSelectUsers.png
  4. Click Select. Now a user has been excluded.

How to disable MFA on a user's level

  1. Sign in to the Microsoft Entra Admin Center using the Microsoft 365 connection account.
  2. Navigate to Identity > Users > All users and locate the Microsoft 365 account that is going to be used by Cayosoft Administrator to connect Microsoft365.
  3. Select the account in the list, click three dots icon and select Per-user MFA.
    MFAPerUser.png
  4. Check that MFA is disabled for the Microsoft 365 connection account according to the Conditional Access policies.
    MFADisabled.png

Related Articles

Troubleshooting connection to Office 365

Troubleshooting Conditional Access Policy enforcement on Microsoft 365 Connection Account

 

 

 

© Copyright 2013-2025 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.