Excluding Microsoft 365 connection account from Conditional Access Policies

Summary: Microsoft 365 connection account should be excluded from conditional access policies, including Baseline policies custom policies, and per-user MFA policies.

Applies to: Cayosoft Administrator 6.4.0 or later

Overview

Microsoft 365 connection accounts should be excluded from conditional access policies, including Baseline policies custom policies, and per-user MFA policies.

NOTE: You can use the Trusted IPs feature that bypasses two-step verification for users who sign in from the company intranet. For more information, please see this Microsoft article MFA service settings - Trusted IPs.

IMPORTANT: It is generally impossible to remove Multi-Factor Authentication (MFA) from the default Global Admin account, which is registered to the tenant for security reasons. It is recommended to create a separate account which is used only in the specific Cayosoft Administrator installation, and it should be excluded from Conditional Access Policies (CAP) that enforce MFA and from per-user MFA.

How to exclude a user from Conditional Access policies

1. Sign in to the Microsoft Entra Admin Center using the Microsoft 365 connection account.

2. In the Microsoft Entra admin center, in the Protection section, click Conditional Access and select Policies.

   

3. Check configured policies and exclude Microsoft 365 connection account from all access policies, including Baseline and custom policies.

   Example for the Require multifactor authentication for all users policy:

   1. Click the name of the policy you want the user account to be excluded from. In our case, that is the Require multifactor authentication for all users link.

      

   2. In the policy properties, select Users.

   3. Locate the Exclude tab.

   4. Select the Users and groups checkbox.

   5. Click the X users link.

   6. In the Select excluded users and groups dialog, search for a user that needs to be excluded from the policy scope.

   

4. Click Select. Now a user has been excluded.

How to disable MFA on a user's level

1. Sign in to the Microsoft Entra Admin Center using the Microsoft 365 connection account.

2. Navigate to Identity > Users > All users and locate the Microsoft 365 account that is going to be used by Cayosoft Administrator to connect to the Microsoft 365 services.

3. Select the account in the list, click three dots icon and select Per-user MFA.

   

4. Check that MFA is disabled for the Microsoft 365 connection account according to the Conditional Access policies.