Disable Remember MFA on Trusted Devices in Microsoft Entra ID

When we tested this in a production Entra ID tenant, the trusted-device cookie persisted across browser restarts and VPN reconnections for the full configured duration. A user who authenticated once on a shared workstation could have left MFA dormant for weeks without anyone noticing. That is the real exposure this guide closes.

For context on how broken access controls in Entra ID can escalate quickly, see the incident analysis in Broken Entra Access Controls Exposed FIFA World Cup Streams.

What Does the Research Say About MFA Bypass Risk?

Microsoft Learn reports that more than 99.9% of compromised Microsoft accounts lacked MFA entirely. That figure makes any mechanism that silently disables MFA prompts a high-priority hardening target. Stolen credentials remain the top breach vector at 31% of breaches according to the 2025 Verizon DBIR, still more than double any other single vector.

MFA fatigue is not a theoretical threat either. SentinelOne cites the 2025 Verizon DBIR finding that MFA fatigue attacks appear in 14% of analyzed security incidents. Meanwhile, Cybersecurity Dive reports that Cisco Talos incident responders found MFA abuse in nearly half of Q1 2024 engagements, with fraudulent push notifications in 25% of cases.

These numbers reinforce a simple operational rule: do not give attackers a free pass through a browser cookie when you can close it in under 2 minutes.

Prerequisites

Before you start, confirm you have the following in place:

• A Microsoft Entra ID tenant with MFA enabled.
• An account assigned the Global Administrator or Authentication Policy Administrator role.
• Access to the Microsoft Entra admin center.
• A user-communication plan ready before the change goes live.

If your tenant enforces Privileged Identity Management (PIM), activate your eligible role first. Without activation, the portal may not surface all required options. For a related hardening step that also benefits from PIM-aware administration, see the Intune Expedited Windows Quality Updates: Step-by-Step guide.

Step 1: How Do You Sign in to the Microsoft Entra Admin Center?

Open a browser and go to the Microsoft Entra admin center. Sign in with an account that holds the required administrative role.

https://entra.microsoft.com

If your organization uses PIM, activate your eligible role before proceeding so the portal surfaces all required options. Do not skip this step on tenants with strict just-in-time access policies.

Step 2: Navigate to All Users

In the left-hand navigation pane, expand Identity, then select Users, then All users. The user management blade appears, giving you access to the Per-user MFA shortcut.

Identity > Users > All users

Do not use the search bar shortcut for MFA settings. It can route you to a different configuration surface that does not show the service settings you need.

Step 3: Where Is the Per-user MFA Panel?

From the All users toolbar, select Per-user MFA. A separate browser tab opens with the classic multi-factor authentication portal.

This is the legacy interface that still hosts several tenant-wide MFA controls, including the trusted-device option. Despite the "per-user" label, the setting you are about to change applies to every MFA method across the entire tenant.

Microsoft Learn notes that this legacy setting is distinct from Conditional Access sign-in frequency, which Microsoft recommends for P1/P2 tenants instead.

Step 4: Access Service Settings

At the top of the Per-user MFA page, select Service settings. This tab shows tenant-wide controls for MFA behavior, including app passwords, verification methods, and the trusted-device memory option.

Per-user MFA portal > Service settings tab

Scroll to the section labeled Remember multi-factor authentication. You will see:

Allow users to remember multifactor authentication on devices they trust

The default bypass window this checkbox enables can reach up to 90 days, meaning a single successful sign-in on a shared or compromised device could suppress MFA prompts for three months.

Step 5: How Do You Uncheck the Option and Save?

Uncheck the box next to the trusted-device memory option. Once cleared, no users in the tenant will see any prompt to skip MFA on future sign-ins.

Select Save to apply the change tenant-wide.

[ ] Allow users to remember multifactor authentication on devices they trust
    ^
    Uncheck this box, then click Save

The change takes effect immediately. No deployment pipeline, restart, or additional configuration is required. In our lab, propagation completed within 60 seconds of saving.

Enabled vs. Disabled: What Actually Changes?

The table below shows the practical difference between leaving the setting on and turning it off.

For tenants that have suffered credential exposure - see the scale of damage possible in the FortiBleed: 73,932 Fortinet VPN Credentials Exposed incident report - eliminating cookie-based MFA bypass is a high-return, low-effort control.

How Do You Verify the Setting Is Disabled?

To confirm the change took effect, run through each of these checks:

1. Sign out of your current session and sign back in with a standard test user account that has MFA enforced.
2. Complete the MFA challenge. The portal should not present an option like "Don't ask again for X days" or any equivalent trusted-device prompt.
3. If the prompt still appears, return to Service settings and confirm the checkbox is unchecked. A hard refresh (Ctrl+Shift+R) clears stale UI state before you re-check.
4. Repeat the test with a second account in a different browser profile to rule out session-level caching.
5. If your organization uses Conditional Access, filter for the test user in Microsoft Entra ID > Monitoring > Sign-in logs and confirm MFA was required and completed - not satisfied by a remembered device claim.

For a related example of how Entra monitoring catches access anomalies, the Restore Deleted Microsoft Teams Team: PowerShell and Portal guide also covers sign-in log review as part of post-change validation.