The many ways to implement multi-factor authentication (MFA) in Microsoft 365

There are five, count it five, separate ways to configure multifactor authentication in Microsoft 365. In this article, we will go over three of them because one of them is no longer supported and one of them uses third-party tools that are out of scope for the MS-500.

Security Defaults

Security defaults are the latest way to enable MFA in Microsoft 365. Security defaults enable MFA across your entire tenant. That includes all of your users. There is no way to limit MFA to a select user or group with security defaults. If you created your tenant after October 22nd, 2019 security defaults are probably already enabled on your tenant. 

By enabling security defaults in your Microsoft 365 tenant you're not only requiring MFA but you're also blocking legacy authentication, for example, IMAP, POP3, and basic auth.

Security Defaults is available for all Microsoft 365 tenants regardless of your licensing.

How to enable/disable security defaults

1. Go to Azure Active Directory admin center > Azure Active Directory > Properties > Manage Security Defaults. Click Yes to enable the policy. Click No to disable the policy. Click Save.

Microsoft 365 security defaults

Per-user MFA

Per-user MFA gives more control over who is required to use multifactor authentication, but it requires you to enable MFA for every user individually. That means every time you create a new user in Microsoft 365 you need to enable MFA for that user. But it also means you can roll out MFA to a set of users.

Per-user MFA is available for all Microsoft 365 tenants regardless of your licensing.

How to enable per-user MFA

1. Go to Microsoft 365 admin center > Active users > Multi-factor authentication.

Microsoft 365 Per-User MFA

2. Click the check box next to a user you want to enable MFA for. Click Enable.

Enable per-user MFA

3. Click enable multi-factor auth.

Enable multi-factor auth

Conditional access policy

The last built-in choice is via conditional access policies. Conditional access policies provide the best of security defaults as well as the best per-user MFA. With conditional access policies, you can deploy MFA to a user or a group of users, so you don't have to require MFA for all users like you do with security defaults. Also, you can configure conditional access policies to include all users or all administrators, so you don't need to remember to enable MFA for every new user like you need to do with per-user MFA.

The one downside of conditional access policies is licensing. Conditional access policies are only available for azure SD premium P1 licensed users. Conditional access policies are also available to Microsoft 365 business premium users.

How to enable MFA using conditional access policies

1. log in to Azure Active Directory admin center > All services > Azure AD Conditional Access > New Policy > Create new policy.

Create a conditional access policy

2. Enter a name of “Require MFA

Name the conditional access Policy Require MFA

3. Click 0 users or workload identities selected. Click All users.

Set Conditional access policy to all users

4. Click No cloud apps, actions, or authentication contexts selected. Click All cloud apps.

Conditional access policy all cloud apps

5. Click 0 controls selected (under Grant). Click Require multi-factor authentication. Click Select. Click On (under Enable policy). Click Create.

Conditional access policy requiring MFA

MFA Server

Another possibility to deploy multifactor authentication in Microsoft 365 is to deploy an MFA server. MFA server would be an application that's installed on any Windows 2008 R two or later server that's joined to your domain. In short, you would download the MFA server installation files from Microsoft and install the software on your server. Then with a quick configuration, you can deploy your MFA server. As of July 1st, 2019 Microsoft, no longer offers an MFA server for new deployments. So, we won't be covering the installation or configuration in this guide.

Third-party options

Microsoft has also configured Microsoft 365 so third-party vendors can offer multifactor authentication options. There are a number of vendors who sell software or cloud-only options that can tie into Microsoft 365 and provide you with multifactor authentication. Some of those vendors are one login and duo. They won't be covering the deployment of these options in this guide because they are not covered in the MS-500.

User experience

Once MFA is enabled for a user the user will see the following prompts (either in the browser or in Outlook).

1. On the More information required prompt click Next.

MFA Enabled More information required

2. On Keep your account secure / start by getting the app page download Microsoft Authenticator to your mobile phone and open the app.

Install the authentication app

3. Once in the app click I agree > Scan a QR code > While using the app.

Setup the authenticator app

3. Then go back to the sign-in page and click Next.

Keep you account secure page

3. On Scan the QR code page scan the QR code with the Microsoft authenticator app on your phone. Click Next.

Scan the QR code with your phone

4. Approve the sign-in request on your phone.

Approve the sign in

5. Once you see the Notification approved message click Next.

Notification approved

6. on the Phone page, enter your cell phone number and click Next.

Enter phone number to receive text message

7. Enter the code texted to you in the space provided. Click Next.

Enter the code you received in the text message

8. Once you see SMS verified. Click Next.

SMS verified

9. On the success page click Done.

Click done