Set up MFA in Microsoft 365 to safeguard data

Why adopt multifactor authentication?

If your organization isn't already using MFA for logging into its Microsoft Azure environment, it's time to enable it. MFA increases security by requiring users to provide a username and password while signing in, as well as a second form of authentication such as an app notification, a phone call, a text or voice code, or a physical hardware key. This helps protect against account takeover from stolen or guessed passwords.

Microsoft Entra ID (formerly Azure Active Directory) requires two or more of the following:

• Something you have, such as a trusted device or a hardware key.
• Something you know, such as a password.
• Something you are, such as a biometric fingerprint or face scan.

MFA options in Microsoft 365/Entra ID

There are four primary ways to enable MFA:

1. Security defaults. They provide basic tenant-wide enforcement -- an all-or-nothing approach -- that applies to all users, regardless of whether they've previously registered for MFA.
2. Conditional Access policies. Users can sign in with MFA using conditions like location, device or risk level. For example, these policies apply when users are working away from the office network and are logging in remotely.
3. Per-user MFA. This is a legacy method for enabling MFA for individual users, but it isn't recommended for new setups.
4. Entra ID protection. This uses risk-based MFA and requires the user to provide additional verification signals, such as sign-in history, to determine sign-in risk and device compliance.

Conditional Access can't be used simultaneously with Security defaults. IT must disable Security defaults before creating Conditional Access policies.

Disabling security features can have serious consequences, so proceed with caution. Before disabling any security features, it's important to understand the potential risks and assess the possible effect on the organization.

Enable Security defaults

Using this simple option, MFA is applied by default tenant-wide for all authentication requests and accounts. Once enabled, no further configuration options are available. The effects of enabling Security defaults include the following:

• All users must register for MFA within two weeks of their next sign-in.
• Only the Microsoft Authenticator app is supported for approvals.
• Administrators are always required to use MFA.
• Users will be prompted to provide MFA when Microsoft deems it necessary -- such as when they sign into a new device or application.
• Legacy authentication for POP, IMAP and SMTP is blocked.

IT can set up Security defaults through the following steps:

1. Sign in to the Entra admin center with the Security Administrator, Conditional Access Administrator or Global Administrator role.
2. Navigate to Identity > Overview > Properties > Manage security defaults.

3. Select Enable Security defaults > Yes.

4. Save the changes.

Configure Conditional Access

Conditional Access provides a more configurable option to MFA than the per-user method and Security defaults. The steps in the process to configure Conditional Access include the following:

1. Set the security defaults to "Disabled (not recommended)".
2. In the Entra admin center, go to Identity > Protection > Conditional Access > Policies.
3. Select + New Policy.
4. Name the policy; for example, "Require MFA for all users."
5. Under Assignments, choose Users and groups. Select the accounts and groups to which the policy applies.
6. Under Cloud apps or actions, select All cloud apps, or select specific apps.
7. Under Conditions, configure when MFA is required; for example, for external locations or risky sign-ins.
8. Under Access Controls, select Grant access > Require multifactor authentication.
9. Enable the policy and click Create.

The new policy should then enforce MFA dynamically based on the conditions chosen.

The specific steps might vary based on the Microsoft 365 version and setup, but the general process should be the same.

Enable per-user MFA

This legacy option still exists but is being replaced by Conditional Access. Avoid using this for new deployments.

To set up MFA for an individual user, perform the following steps:

1. Sign in to the Microsoft 365 admin center with an account that has the necessary permissions.
2. Go to Users > Active users.
3. Select Multifactor Authentication. Open the menu, which is represented by three dots, if this option is hidden.
4. In the MFA portal, click on a user and select Enable > confirm.
5. The user will be required to complete MFA registration at the next login.

Bulk enable MFA for many users

To enable MFA for many users at the same time, start with the same steps as for a single user. Then, carry out the following steps:

1. In the Per-User MFA portal, select Bulk Update.
2. Download the CSV template.
3. Add usernames of accounts for which to enable MFA.
4. Upload the CSV file and confirm activation.

All uploaded users will be required to complete MFA registration upon their next sign-in, using either a text message, phone call or the Microsoft Authenticator app.

When setting up MFA for an organization, keep the following best practices in mind:

• Use Security defaults for quick, simple enforcement.
• Use Conditional Access for scalable, flexible control.
• Avoid per-user MFA for new setups. Instead, reserve this option for small or test organizations.
• Consider Entra ID Protection for risk-based adaptive MFA.

Implementing MFA in Microsoft 365 is an effective way to strengthen enterprise security. The setup process requires careful planning and user communication to ensure a smooth transition. Still, the ROI is clear, as it provides enhanced protection for critical data, a reduced chance of account compromise and stronger compliance confidence.

MFA should be part of an organization's broader identity and access management framework that addresses evolving threats. This includes regularly reviewing authentication policies, monitoring user behavior and refining access controls as the organization evolves. A proactive approach to MFA ensures Microsoft 365 remains secure in an increasingly complex threat environment.

Helen Searle-Jones holds a group head of IT position in the manufacturing sector. She draws on 30 years of experience in enterprise and end-user computing, utilizing cloud and on-premises technologies to enhance IT performance.