Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Microsoft

How Do I Set Up MFA in Microsoft 365?

Quick Answer

Enable Security Defaults for basic MFA, or use Conditional Access for more control. Security Defaults is one toggle. Conditional Access requires Azure AD Premium but gives you granular policies. Either way, require MFA for all users, no exceptions.

Quick answer: Enable Security Defaults for basic MFA, or use Conditional Access for more control. Security Defaults is one toggle. Conditional Access requires Azure AD Premium but gives you granular policies. Either way, require MFA for all users, no exceptions.

Two Approaches

Security Defaults (Simple)

  • Free with any Microsoft 365 plan
  • One toggle to enable
  • Requires MFA for all users
  • Limited customisation
Good for: Small organisations wanting basic MFA quickly.

Conditional Access (Recommended)

  • Requires Azure AD Premium P1 (included in Business Premium, E3, E5)
  • Granular policy control
  • Risk-based authentication
  • Device compliance integration
Good for: Organisations wanting proper security configuration.

Option 1: Enable Security Defaults

Steps:

  1. Sign in to Azure Portal (portal.azure.com) as Global Admin
  2. Navigate to Azure Active Directory > Properties
  3. Click Manage Security Defaults
  4. Set Enable Security Defaults to Yes
  5. Save
What happens:
  • All users required to register for MFA within 14 days
  • MFA required for admin roles every sign-in
  • MFA required for all users when needed (risky sign-ins)
  • Legacy authentication blocked
Limitations:
  • All or nothing—can't exclude users
  • Can't customise conditions
  • No device compliance options

Option 2: Conditional Access (Better)

Basic "MFA for everyone" policy

  1. Sign in to Azure Portal as Global Admin
  2. Navigate to Azure Active Directory > Security > Conditional Access
  3. Click New Policy
  4. Name: "Require MFA for all users"
Assignments:
  • Users: All users (exclude break-glass emergency accounts)
  • Cloud apps: All cloud apps
  • Conditions: (leave default)
Access controls:
  • Grant: Require multi-factor authentication
Enable policy: On (or Report-only first to test)

Additional recommended policies

Block legacy authentication:

  • Users: All users
  • Cloud apps: All cloud apps
  • Conditions: Client apps > Other clients
  • Grant: Block
Require MFA for admins:
  • Users: Directory roles > Select admin roles
  • Cloud apps: All cloud apps
  • Grant: Require MFA
Require compliant devices for sensitive apps:
  • Users: All users
  • Cloud apps: Select apps (SharePoint, etc.)
  • Grant: Require compliant device

Before You Enable

Communicate to users

Tell people MFA is coming:
  • What to expect
  • How to register
  • Support resources

Test first

Use Report-only mode for Conditional Access policies. Review sign-in logs to see what would happen.

Plan for exceptions

You need break-glass accounts excluded from MFA in case of emergency. Secure these differently (hardware keys, secure location).

Handle legacy apps

Some apps don't support modern authentication. Identify them before blocking legacy auth.

MFA Methods

Microsoft Authenticator app (recommended):

  • Push notifications
  • Number matching (configure this)
  • Passwordless option
Phone:
  • SMS codes (less secure)
  • Phone call (less secure)
Hardware security keys:
  • FIDO2 keys (most secure)
  • Best for admins
Recommendation: Require Microsoft Authenticator with number matching. Disable SMS for admins.

Common Mistakes

Excluding too many users "Everyone except sales" defeats the purpose. MFA for all, no exceptions.

Not enabling number matching Without it, users can approve MFA prompts without knowing what they're approving (MFA fatigue attacks).

Forgetting service accounts Service accounts need MFA too, or need to be properly secured alternatively.

No break-glass accounts If MFA breaks and no one can sign in, you need emergency access. Plan for this.

What We Configure

For managed clients, we implement Conditional Access properly:

  • MFA required for all users
  • Number matching enabled
  • Legacy authentication blocked
  • Risk-based policies active
  • Admin accounts extra-protected
  • Break-glass accounts secured
  • Monitoring enabled
MFA is essential—but "enabled" isn't the same as "properly configured."

---

about Microsoft 365 security.

---

Related Questions