How to Set Up MFA in Microsoft 365

Almost everything here lives in the Microsoft Entra admin center at entra.microsoft.com (the identity side of Microsoft 365). Users register their methods at aka.ms/mfasetup.

1. Two ways to require MFA

• Security Defaults — a single switch that requires MFA registration for everyone, prompts when needed, and blocks legacy auth. Perfect for smaller teams without Business Premium.
• Conditional Access — policy-based rules ("require MFA for all users and all apps") with finer control: trusted locations, excluded break-glass accounts, and stronger requirements for admins.

Use one or the other—not both. If you have Business Premium, Conditional Access is the better long-term choice.

2. The simple path: Security Defaults

1. Go to entra.microsoft.com → Identity → Overview → Properties.
2. Select Manage security defaults, set it to Enabled, and save.

Everyone gets 14 days to register the Microsoft Authenticator app on next sign-in, then MFA is required. That's it.

3. The flexible path: Conditional Access

If you have Entra ID P1 / Business Premium, turn off Security Defaults and build policies at entra.microsoft.com → Protection → Conditional Access:

1. Create a policy: all users (exclude your break-glass accounts), all cloud apps, grant access only with Require multifactor authentication. Run it in report-only mode first to see who it would affect, then switch to On.
2. Add a second policy requiring MFA specifically for admin roles, every time.
3. Optionally require MFA only from outside trusted locations to cut prompts on the office network.

4. Choose strong methods, ban SMS

Control which second factors are allowed at entra.microsoft.com → Protection → Authentication methods:

• Enable Microsoft Authenticator (with number matching on—it defeats "MFA fatigue" push-bombing) and passkeys / FIDO2 security keys.
• Disable text message and voice call as methods where you can—they're the weakest and can be SIM-swapped.
• Run a registration campaign to nudge anyone still on SMS over to the Authenticator app.

5. Phishing-resistant MFA for admins

Admins are the top target, so hold them to a higher bar. With Conditional Access you can require phishing-resistant MFA (passkeys / FIDO2 security keys / Windows Hello) for admin roles using an authentication strength:

1. At entra.microsoft.com → Protection → Conditional Access, create a policy targeting your admin roles.
2. Under Grant, choose Require authentication strength → Phishing-resistant MFA.

Enroll each admin with a passkey or hardware security key before you turn this on.

6. Set up break-glass accounts

Before you enforce anything, create two emergency "break-glass" admin accounts: cloud-only Global Administrators, each with a long unique passphrase stored somewhere safe (a sealed envelope or your password manager's emergency kit). Exclude them from your Conditional Access policies so a misconfiguration can never lock you out of your own tenant—then monitor them closely and alert on any sign-in.

7. Block legacy authentication

Old protocols can't do MFA, so they're a way around it. Security Defaults blocks them automatically. With Conditional Access, add a "Block legacy authentication" policy. Microsoft has already retired Basic Auth in Exchange Online for most tenants—confirm it's off.

8. Track registration

See who's enrolled and chase the stragglers before enforcement: entra.microsoft.com → Protection → Authentication methods → Activity shows registration status, and the Sign-in logs show whether MFA is actually being applied. While you're here, turn on self-service password reset (with MFA) so password resets don't become help-desk tickets.

Microsoft moves and renames these settings from time to time—the bold names are stable search terms. Running Google too? See How to Secure Google Workspace with MFA.