Does Azure SSO (or any SSO) bypass MFA?

ben.jenkins · September 23, 2025, 2:40pm

Morning folks. Situation: Have a BitWarden user who’s account was setup before we had enterprise, so they don’t have Account Recovery setup. They also don’t have emergency access setup. Their MS Authenticator bugged out, and they’ve lost their MFA. They’re still signed into the web extension, so haven’t lost access despite not completing full authentication for months.

We could have them export their vault, and build a new one - but their vault uses their work email, so they’d need to setup using a new email. Which isn’t ideal.

Wondering, if I enable SSO via Azure, would they be able to login to the web portal wiithout the MFA requirement? Thx

Nail1684 · September 23, 2025, 2:48pm

@ben.jenkins In this “Login using SSO” section in the Bitwarden Help Sites, all three SSO options (see the tabs there) involve

“If you are using two-step login, authenticate using your secondary device.”

as the last step, so I would think, there is no bypass.

I hope they have exported already, because they are one step away from losing access!

kpiris · September 23, 2025, 3:01pm

If they have two-step-login enabled, they have lost it, and they don’t have the recovery code, then it doesn’t matter if they are enrolled in enterprise account recovery or not, they won’t be able to login.

Again: no, they would not.

They could delete their old account before creating a new one with the same email; the only thing needed to delete it is access to the email.

But make sure the export is complete before doing so, once the account is deleted there is no going back.

ben.jenkins · September 23, 2025, 4:23pm

Thank you for the delete link, this is helpful. I didn’t think this could be done.

I understand the Enterprise Account Recovery won’t bypass MFA (we’ve also set up Account Takeover for everyone, for this reason)…. So just to confirm, logging in via SSO DOES require MFA? I’m just trying to check - other SSO services I have enabled do not require MFA (if using SSO) - but obviously BitWarden works different.

I wasn’t aware they could export from the extension either, so this might just be the better option (with acccount deletion) rather than setting up SSO. - thanks

ben.jenkins · September 23, 2025, 4:28pm

lol nope, they have not. Fortunately, they’re not a big user - and anything work related is in our corporate vault. I’m actually surprised they haven’t had an issue logging into the extension yet - but it hasn’t required a complete auth in months.

Reading that article again though, I see exactly where you mention. I was hoping this wasn’t the case - based on other SSO experiences, but I understand BitWarden’s auth process is different. Kiko below has informed me that we can delete the account without authenticating however, so IG we will go that route. Thanks again

kpiris · September 23, 2025, 6:24pm

As it seems you already figured out, logging in with SSO and Bitwarden two-step-login are two completely independent things.

If an account has Bitwarden two-step-login enabled you will always need to provide that second step to log in, regardless of SSO.

There is an enterprise policy to force users to enable two-step-login.

But I wish there was another policy to forbid users from enabling it.

I, as an admin of our IdP, would like to be able to:

Force users to use MFA at the IdP level (I obviously can and do that already)
Forbid users to enable Bitwarden two-step-login (that I can’t do it).

So that if a user loses his second factor I can help him recover his account. Now I can’t if he enabled Bitwarden two-step-login and lost it. His account is lost without hope.

system · October 23, 2025, 6:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.