How to set up multi-factor authentication (MFA) for Microsoft 365

Multi-factor authentication is one of the best security measures you can put in place to protect your Microsoft 365 accounts from unwanted access.

To enable multi-factor authentication (MFA) for Microsoft 365, follow these steps:

• Monitor MFA sign-ins and adjust settings as your security needs evolve.
• Sign in to the Microsoft Entra admin center with admin credentials.
• Navigate to Identity > Properties and manage security defaults to enable basic MFA for all users.
• For advanced control, set up Conditional Access policies under Identity > Security > Conditional Access.
• Instruct users to register a second authentication method, such as the Microsoft Authenticator app, SMS, or a security key.
• Test MFA with a small user group before rolling out organization-wide.

Rolling out MFA everywhere can feel like a headache, especially when you’re juggling user convenience and keeping things running smoothly. This guide walks you through the essentials of MFA in Microsoft 365—from the options you have, to managing policies that actually work. We’ll run through the prerequisites you need to check off before you start, and then get into the steps for both basic and more advanced MFA setups.

Every business is a little different—your security needs and user habits will shape how you deploy MFA. We’re giving you all the info you need to make smart choices, but it’s worth talking to a good IT pro to make sure your MFA setup fits your business and compliance requirements.

Multi-Factor Authentication in Microsoft 365

Multi-factor authentication slashes the risk of account compromise by asking for more than just a password. Let’s look at how MFA works in Microsoft 365 and what authentication methods actually matter for your security.

What Is Multi-Factor Authentication (MFA)?

Multi-factor authentication makes users provide two or more ways to verify who they are before they get into their Microsoft 365 accounts. It’s all about mixing something you know (like a password), something you have (your phone or an authenticator app), and something you are (biometrics).

Here are the main authentication factors:

• Knowledge factors: Passwords, PINs, or security questions
• Possession factors: Smartphones, hardware tokens, or smart cards
• Inherence factors: Fingerprints, facial recognition, or voice patterns

Microsoft 365 lets you use a bunch of MFA methods: SMS, phone calls, Microsoft Authenticator app, and even hardware security keys. If you ask us, the Microsoft Authenticator app is usually the most secure and least annoying for users.

When someone signs in to Office 365 apps, they punch in their password, then handle the second step with whatever method they picked. This happens at the first sign-in and sometimes again, depending on your security policies.

How MFA Protects Microsoft 365 Accounts

MFA drops the risk of account compromise by up to 99.9%, at least according to Microsoft’s research. Even if someone steals a password through a phishing attack or a data breach, they can’t get in without that second factor.

MFA blocks common attacks like:

• Phishing: Stolen passwords aren’t enough
• Password spraying: Automated attacks get stuck at MFA
• Credential stuffing: Leaked passwords from other sites won’t work
• Brute force: Extra verification stops intruders cold

Attackers love to target Microsoft 365 users with phishing. They might trick someone into giving up a password, but they can’t fake the real-time authentication codes or app notifications.

When organizations use MFA, successful account takeovers almost disappear. This extra layer gives security teams time to notice and react to weird activity.

Modern Authentication Versus Legacy Authentication

Modern authentication uses OAuth 2.0 and supports MFA, while legacy authentication sticks with old-school methods that skip MFA completely. Microsoft 365 technically supports both, but you should disable legacy authentication.

Modern Authentication Perks:

• Full MFA support for all apps
• Token-based authentication that refreshes itself
• Better security monitoring and logs
• Works with conditional access policies

Legacy Authentication Problems:

• Skips MFA entirely
• Uses outdated protocols
• Lousy monitoring
• Really vulnerable to credential attacks

A ton of Office 365 tenants still have legacy authentication turned on by default. Stuff like older Outlook, IMAP, POP3, and SMTP clients use these outdated protocols.

Audit your environment to spot any legacy authentication use, then start moving everyone to apps that support modern authentication. Microsoft has tools to help you track and block legacy sign-ins.

Once you block legacy authentication, every Microsoft 365 login will require MFA—so attackers lose their favorite bypass trick.

Prerequisites and Preparation for Enabling MFA

Before you set up MFA, make sure you have the right licenses, admin access, and a plan for rolling it out. Double-check your Microsoft 365 tenant permissions and get users ready for the change.

Eligibility and Licensing Requirements

Basic MFA features come with most Microsoft 365 subscriptions via Security Defaults. That covers the basics for your whole tenant.

Enhanced MFA options need Azure AD Premium P1 or P2 licenses. These unlock Conditional Access for more detailed control.

Common licenses:

• Microsoft 365 Business Premium – Has Azure AD Premium P1
• Microsoft 365 E3 – Has Azure AD Premium P1
• Microsoft 365 E5 – Has Azure AD Premium P2

Check your current licenses in the Microsoft 365 admin center under Billing > Licenses to see what’s available.

Informing and Planning for End Users

You have to communicate with users before flipping the MFA switch. Give folks at least a week’s notice so nobody freaks out or floods the help desk.

What to tell users:

• When MFA is turning on
• What methods they can use (phone, app, SMS)
• How to register
• Who to contact for help

Share training materials, especially for the Microsoft Authenticator app and backup options. Let users know they’ll need to register their devices when they sign in after MFA goes live.

Test with a small group—IT staff or a few volunteers—before rolling out to everyone. This helps you spot issues early.

Reviewing Admin Roles and Security Defaults

You’ll need Global Administrator rights to set up MFA in Microsoft 365, but Security Administrator works too.

Check if Security Defaults are already on. Tenants created since October 2019 usually have them enabled, which means basic MFA is already running.

Look in the Microsoft Entra admin center under Identity > Overview > Properties > Manage security defaults to see the status.

If you have legacy per-user MFA enabled, turn it off before using Security Defaults or Conditional Access. Mixed setups can break stuff and confuse users.

Review your authentication policies in Azure Active Directory to avoid conflicts.

Step-by-Step Guide: Setting Up MFA in Microsoft 365

Let’s go through the process of setting up MFA in Microsoft 365, starting with basic security defaults and moving to advanced conditional access policies for cloud applications.

Enabling MFA for Users in Microsoft 365 Admin Center

The fastest way to turn on MFA is through security defaults in the Microsoft 365 admin center. For most organizations, this is the way to go.

Sign in to the Microsoft Entra admin center as a Global Administrator. Go to Identity > Overview > Properties and hit Manage security defaults.

Set Security defaults to Enabled and save. Now, all users and admins will need MFA within five days.

If you’re running legacy per-user MFA, turn it off first. Head to Users > Active users in the admin center, then pick multifactor authentication.

Select users and set their status to Disabled. This keeps things from clashing with security defaults.

Configuring Microsoft Authenticator App and Other Methods

The Microsoft Authenticator app is usually the best bet for most users. It gives push notifications and works offline for code generation.

After you enable security defaults, users get an email to set up MFA. They just download the app from their device’s store.

During setup, users scan a QR code to link their account. The app then handles time-based codes or push notifications for sign-in.

Other options are SMS, voice calls, and security keys. It’s smart to set up a backup method or two, just in case.

App passwords are for older apps that don’t support modern authentication, especially with Exchange Online. Users can make these in their security settings.

Using Conditional Access Policies for MFA

Conditional access policies let you control exactly when and how MFA kicks in. You’ll need Microsoft Entra ID P1 or higher for this.

To create a policy, go to Identity > Security > Conditional Access. Click New policy, then pick your users and apps.

Set up conditions—like location, device state, or app sensitivity. For example, require MFA for all cloud apps when users sign in from outside the office.

Set access controls to Require multi-factor authentication and turn the policy on. Start with a small group first.

Risk-based conditional access (with Entra ID P2) can trigger MFA automatically if it spots risky sign-ins.

Blocking Legacy Authentication and Securing Cloud Apps

Legacy authentication protocols are a huge security risk since they can’t use MFA. Block these whenever you can.

Set up a conditional access policy for Exchange Online and other cloud apps. In client apps, select legacy authentication clients like Exchange ActiveSync and IMAP.

Set access control to Block access for those protocols. This forces users onto modern authentication with MFA.

For sensitive cloud apps like SharePoint Online or Microsoft Teams, make specific policies that require MFA no matter where users are or what device they’re on.

Check your conditional access policies in the Azure AD sign-in logs to make sure they’re working and not locking out legit users.

Managing and Monitoring MFA in Your Organization

Managing MFA isn’t a one-and-done thing. You’ll need to keep an eye on user authentication, fix issues quickly, and run regular security assessments. Set up clear support processes, use Azure’s logging tools, and tweak your security as threats change.

Resetting and Troubleshooting MFA for Users

When users hit MFA snags, we usually open the Microsoft 365 admin center and go to Users > Active users. Click the user, then Manage multifactor authentication to see what’s going on.

Often, we just reset the user’s MFA registration. Click their name, pick Require re-register MFA, and they’ll go through setup again.

If someone’s locked out, we can temporarily disable MFA by setting their status to Disabled in the MFA portal. That lets them back in to fix their authentication methods.

Common reset scenarios:

• Lost or replaced phones
• Authenticator app out of sync
• Changed phone numbers
• Broken hardware tokens

We keep records of these incidents to spot trends and improve training.

Monitoring Sign-In Activity and Logs

Azure Active Directory gives you detailed sign-in logs for tracking MFA and catching security issues. You’ll find these in the Azure portal under Azure Active Directory > Sign-ins.

These logs show details like MFA success rates, failures, and where users are signing in from. Filter by Authentication requirement to focus on MFA events.

We watch for:

• MFA success/failure rates
• Odd sign-in locations or times
• Users who keep bypassing MFA
• Preferred authentication methods

Red flags to look for:

• Lots of failed MFA attempts
• Sign-ins from weird locations
• Users with MFA always off
• Conditional Access violations

We usually export log data every month for compliance and to spot trends.

Adapting Security Settings Over Time

Security defaults give you a basic layer of protection, but as organizations grow, we usually look at moving up to Conditional Access policies. That shift? It takes some planning—no one wants to mess up how people get their work done.

Every quarter, we check how well MFA works by digging into sign-in patterns and listening to what users have to say. Usually, we tweak trusted IP ranges, update which devices count as compliant, or fine-tune risk-based policies. It’s never just a set-it-and-forget-it thing.

Regular security reviews cover:

• How many users actually adopt different authentication methods
• Whether policies hold up against new threats
• How well things play with new apps and services
• If we’re still in line with industry regulations

We always suggest writing down any changes you make to security settings, along with why you made them. It’s not just about keeping records—it makes it easier to explain choices if someone asks.

As your organization changes, we’re here to help you find that sweet spot between keeping things secure and not making life harder for users. It’s a constant balancing act.