Starting October 21st, 2019, every new Office 365 for business or Microsoft 365 Business subscription will automatically have security defaults turned on. This means that every user will have to set up MFA and install the Microsoft Authenticator app on their mobile device.
With Multi Factor Authentication enabled, the way you can create an access token for Office 365 is a bit different which I had covered in my other blog post.
We recommend keeping Multi Factor enabled for security but there are times when you wish not to enable it during trial. I have been contacted by few Office 365 admins who struggled disabling MFA in Office 365 even though they enabled support for legacy authentication in Office 365 and disabled MFA for each user. The users continue to see following message on a fresh login to Office 365 portal.
“Your organization needs more information to keep your account secure”
Users can select “skip for now (XX days until is required)” but it will finally require all users to provide it.
It turns out that there has been a change in underlying Azure AD policy which needs to be disabled as well. You could navigate to Office 365 Admin center and then go to Azure Active Directory > Properties >Manage security defaults
Set Enable security defaults to No. Once this step is performed, you users are no longer prompted for MFA. For more details on this topic and baseline security policy, please refer to Microsoft documentation.