What I just did (and worked) is:
Create an exclusive user for this and assign the GLOBAL READER role.
Create a group "MFA-disabled" (or the name you want) and assign that user to this group.
Go to AzureAD, Security, Conditional Access and create (if it doesn't exist) a policy to enforce MFA across your domain AND apply EXCEPTION to keep MFA disabled for members of this group.
Works like a charm!!
And this way you don't use a full GLOBAL ADMIN account in this
P.S.: MFA is extremely important to keep your O365 security tight. Use this exception as a last resort, more likely for apps or services not compatible with MFA. Definitely, NOT RECOMENDED to enable a user to not use MFA. If you do that, you'll be ENABLING a security flaw. The chain always breaks on the weakest link!
If a user needs an app or service not compatible with MFA, you can create an APP PASSWORD for that user, just for that app/service. This is better than disable MFA completely for a user.
Create an exclusive user for this and assign the GLOBAL READER role.
Create a group "MFA-disabled" (or the name you want) and assign that user to this group.
Go to AzureAD, Security, Conditional Access and create (if it doesn't exist) a policy to enforce MFA across your domain AND apply EXCEPTION to keep MFA disabled for members of this group.
Works like a charm!!
And this way you don't use a full GLOBAL ADMIN account in this
P.S.: MFA is extremely important to keep your O365 security tight. Use this exception as a last resort, more likely for apps or services not compatible with MFA. Definitely, NOT RECOMENDED to enable a user to not use MFA. If you do that, you'll be ENABLING a security flaw. The chain always breaks on the weakest link!
If a user needs an app or service not compatible with MFA, you can create an APP PASSWORD for that user, just for that app/service. This is better than disable MFA completely for a user.
