How to exclude your M365 account from MFA Conditional Access Policy? 

During a migration from or to Microsoft 365, your connector will require a migration account. This account is a regular Microsoft 365 account that does not need any admin privileges. It does however need to be licensed in Microsoft 365, and have access to a mailbox and Microsoft Teams. We recommend that you use a dedicated migration account for the migration. You can later on safely delete this account once the migration is over.

The migration account needs to authenticate natively to M365, which means it needs to bypass MFA. Some organizations, as part of their access policies, cannot deactivate MFA on user basis. The workaround to this is to create a Conditional Access Policy in Azure. This policy will have MFA deactivated. Once created, you can add your migration account to this policy. 

Below are the steps and screenshots to show you how to create this policy.


  1. Login to Microsoft Entra ID (formerly known as Azure AD).
  2. On the left menu, click on Azure Active Directory and then to Conditional Access as shown in the screenshots below.


3. Either deactivate the policy you have in place, and create a new policy, or edit the existing policy to exclude the migration account from it.

4. The exclusion of the migration account is explained in the steps of the screenshot below:

5. Once this is done, save the policy and give it about 5 min for the changes to replicate. 

6. Test the policy manually by trying to login with the migration account. No MFA should now be prompted. You migration account is now ready for the migration.