How to Enable Multi-Factor Authentication for Microsoft 365

TL;DR: For Microsoft Entra ID Free, enable security defaults in the Microsoft Entra admin center > Identity > Overview > Properties > Manage security defaults. For Microsoft Entra ID P1 or P2, build a Conditional Access policy that requires multifactor authentication for all users. Don’t use legacy per-user MFA — Microsoft hasn’t recommended it in years.

Multifactor authentication is the single highest-value security control for Microsoft 365. Microsoft’s own data shows it blocks more than 99% of automated identity attacks. There are three ways to enable it; pick based on what licenses you own.

What this does

MFA forces a user to verify their identity with a second factor — typically the Microsoft Authenticator app, a hardware token, or a phone — in addition to their password. With MFA enabled, even a compromised password isn’t enough for an attacker to sign in.

Microsoft 365 offers three mechanisms:

  1. Security defaults — a free, all-or-nothing baseline that enforces MFA for everyone. Available on every tenant via Microsoft Entra ID Free. Tenants created after October 2019 have this on by default.
  2. Conditional Access policies — fine-grained rules (“require MFA for everyone except guests on a corporate IP”). Requires Microsoft Entra ID P1 or P2 (included in Microsoft 365 Business Premium, E3, and E5).
  3. Legacy per-user MFA — the original MFA configuration. Still works, no longer recommended, can’t be combined with security defaults or Conditional Access.

When you’d want this

  • Always. If MFA isn’t on, an attacker who phishes a password gets your tenant.
  • Specifically: when onboarding a new tenant, when migrating off per-user MFA, or when graduating from security defaults to Conditional Access.

Option A: Security defaults (Microsoft Entra ID Free)

Best for small organizations on lower-tier licensing. Five things turn on at once: MFA registration for all users, MFA enforcement when needed, blocking legacy authentication, requiring MFA for admins on every sign-in, and protecting privileged operations.

  1. Sign in to the Microsoft Entra admin center at https://entra.microsoft.com as a Security Administrator or Global Administrator.
  2. Go to Identity > Overview > Properties.
  3. Select Manage security defaults.
  4. Set Security defaults to Enabled.
  5. Select Save.

Users have 14 days to register for MFA with the Microsoft Authenticator app from their first sign-in after security defaults is enabled. After 14 days, they can’t sign in without completing registration.

Caveat

Security defaults can’t coexist with Conditional Access policies. If you have any CA policies enabled, the Manage security defaults option is greyed out — Microsoft Entra forces an either-or choice.

Option B: Conditional Access (Microsoft Entra ID P1 or P2 — recommended)

Better for organizations with more than ~50 users or specific compliance/access requirements. Pick this when you outgrow security defaults.

The recommended starter set is three policies:

  1. Require MFA for administrators
  2. Require MFA for all users (with break-glass account exclusions)
  3. Block legacy authentication (otherwise MFA can be bypassed by old protocols)

Steps to create the “require MFA for all users” policy

  1. Sign in to the Microsoft Entra admin center at https://entra.microsoft.com as a Conditional Access Administrator.
  2. Go to Entra ID > Conditional Access > Policies.
  3. Select New policy.
  4. Give it a clear name following your naming standard (e.g., CA001 — Require MFA for all users).
  5. Under Assignments > Users or workload identities:
    • Include: All users.
    • Exclude: Users and groups > your organization’s break-glass accounts. Optionally also exclude Directory Synchronization Accounts if you use Microsoft Entra Connect.
  6. Under Target resources > Resources (formerly cloud apps) > Include, select All resources (formerly ‘All cloud apps’).
  7. Under Access controls > Grant:
    • Select Grant access.
    • Check Require multifactor authentication.
    • Select Select.
  8. Under Enable policy, set to Report-only first to see what it would have done.
  9. Select Create.
  10. Monitor the Sign-in logs in Microsoft Entra ID for 24-48 hours. When the Conditional Access column shows the policy applying as intended and not blocking break-glass, switch the toggle to On.

Always exclude at least two break-glass accounts from MFA enforcement. These are emergency-access accounts that you’d use if MFA infrastructure itself is broken. Document them, monitor sign-ins on them, and store their credentials offline.

Legacy per-user MFA (avoid)

The page exists in the Microsoft 365 admin center under Users > Active users > Multi-factor authentication. It pre-dates Conditional Access and security defaults and conflicts with both. Microsoft has been steering customers off it for years; if you find it enabled on a tenant, migrate users off it before turning on security defaults or Conditional Access, or sign-ins will break.

PowerShell — toggle security defaults

Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"

# Read current state
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy

# Enable
Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy `
  -BodyParameter @{ IsEnabled = $true }

There’s no first-class Graph cmdlet for creating Conditional Access policies — you’d POST a JSON body to New-MgIdentityConditionalAccessPolicy. For most teams, the admin center UI is the right tool here.

Notes and gotchas

  • MFA registration is its own conversation. Users register at https://aka.ms/mfasetup. Microsoft Authenticator (push) is the recommended method; SMS works but is the weakest. Hardware FIDO2 keys are the strongest.
  • Combined registration. Turn on combined registration so users register MFA and self-service password reset in the same flow. It’s the default on tenants created after August 2020.
  • Block legacy authentication first. MFA can be bypassed by older protocols (POP, IMAP, SMTP AUTH) that don’t support modern auth. The “Block legacy authentication” Conditional Access policy is mandatory if MFA is going to actually protect you.
  • Authenticator app push is being replaced with number matching. Microsoft enabled this by default in 2023 to defend against MFA fatigue attacks — users now have to type a number into the app rather than just tap Approve.
  • Permissions: minimum role is Conditional Access Administrator for CA policies, Security Administrator for security defaults. Avoid using Global Administrator for routine policy work.
  • License check: Conditional Access requires Microsoft Entra ID P1 (included with Microsoft 365 Business Premium, E3, F3, A3, E5, A5). Verify you have it before designing policies you can’t actually deploy.

Related guides