How to Enforce MFA in Microsoft 365: Step-by-Step Guide

Passwords alone are no longer enough. Eighty-four percent of credential breaches stem from phishing, password spray or credential reuse. Microsoft recommends—and will soon require—phishing-resistant Multi-Factor Authentication (MFA) for every tenant. This guide shows you how to enable MFA as quickly as possible while minimizing user impact.

Contents

1. Introduction: Why MFA Is Mandatory Today
2. What Is MFA in Microsoft 365?
3. Prerequisites Before Configuring MFA
4. Available MFA Methods
5. User-Level MFA Configuration
6. Organization-Level MFA Configuration (Conditional, Mandatory)
7. Best Practices: Avoiding Lockouts and Adoption Issues
8. Special Considerations (BYOD, Service Accounts)
9. Conclusion & Next Steps: Hardening Security Further

---

1. Introduction: Why MFA Is Mandatory Today

With the rise of remote work and targeted phishing, relying on a single password is an unacceptable risk. MFA adds a second factor (something you have or are) and blocks more than 99 % of password-based attacks. Microsoft has announced that Security Defaults with MFA will be enabled by default for all new tenants and urges existing tenants to migrate.

---

2. What Is MFA in Microsoft 365?

MFA combines two or more factors:

• Knowledge – what you know (password, PIN).
• Possession – what you have (phone, FIDO2 key).
• Inherence – what you are (fingerprint, face).

In Microsoft 365, MFA is implemented through Microsoft Entra ID and can be enabled per individual user (Legacy MFA), via Security Defaults, or through Conditional Access.

---

3. Prerequisites Before Configuring MFA

• Global Administrator or Conditional Access Administrator role.
• Minimum license: Microsoft 365 Business Premium, Office 365 E1/E3 (for Security Defaults) or Entra ID P1 if you will use Conditional Access.
• Users must have mobile numbers or email access for the first verification.
• Microsoft Authenticator installed if you choose push notifications (recommended).

---

4. Available MFA Methods

Method	Phishing Resistance	Requirements	Recommended Use
FIDO2 / Passkey	⭐⭐⭐⭐⭐	USB/NFC or platform key	Admins & VIPs
Microsoft Authenticator Push + Code	⭐⭐⭐⭐	iOS/Android phone	General users
Windows Hello (biometrics)	⭐⭐⭐	Managed device	Corporate PCs
SMS / Phone Call	⭐	Mobile number	Fallback scenario

---

5. User-Level MFA Configuration

5.1 Classic Portal (Quick Approach)

1. Entra Admin Center ▸ Users ▸ Multi-Factor Authentication.
2. Select one or more users ▸ Enable.
3. On next sign-in, they will be prompted to register a method.

5.2 PowerShell to Enable Multiple Users

Connect-MsolService
Get-MsolUser -Department "Sales" | Set-MsolUser -StrongAuthenticationRequirements @(
 @{RelyingParty="*"; State="Enabled"}
)

Note: Good for pilot testing but does not scale or apply access controls.

---

6. Organization-Level MFA Configuration

6.1 Security Defaults (Easy & Free)

1. Entra Admin Center ▸ Properties ▸ Manage Security Defaults.
2. Turn on Enable Security Defaults.
3. All users must register MFA within 14 days.

Limitations: cannot exclude service accounts or apply granular group settings.

6.2 Conditional Access (Granular, Requires Entra ID P1/P2)

6.2.1 Create “Global MFA” Policy

1. Entra Admin Center ▸ Conditional Access ▸ + New policy.
2. Assignments: Include ▸ All users; Exclude ▸ “Service Accounts”.
3. Cloud apps: All cloud apps.
4. Conditions: Location → Exclude trusted locations if applicable.
5. Grant: Require authentication strength → Multi-Factor Auth.
6. Enable in Report-only for 7 days, review logs, then switch to On.

6.2.2 Forced Registration Campaign

Entra Admin Center ▸ Identity Protection ▸ Registration Campaign, select group “All.” Users get up to five reminders until they register MFA.

---

7. Best Practices: Avoiding Lockouts and Adoption Issues

• Advance communication: send an email with FAQs and a two-minute video.
• Just-in-time training: step-by-step screens during registration.
• Backup method: require two methods (Authenticator + SMS).
• Trusted locations: to reduce friction, initially exclude fixed offices (only if you have static IP & Zero Trust network).
• Temporary exclusions: use groups to exempt critical accounts until testing is complete.
• Monitor in real time: Entra ▸ Sign-in logs ▸ filter for “MFA denied” errors to act quickly.

---

8. Special Considerations (BYOD, Service Accounts)

8.1 BYOD & Personal Devices

Requires MFA + device evaluation. Options:

• Conditional Access with Require device to be marked as compliant (Intune).
• Use App Protection Policies to isolate corporate data on mobile devices.

8.2 Service Accounts & SMTP Flow

• Avoid MFA; use OAuth tokens or Managed Identities instead.
• Create group “Service Accounts – Exempt” and exclude it from the MFA policy.
• Disable interactive sign-in for these accounts.

---

9. Conclusion & Next Steps: Hardening Security Further

Enforcing mandatory MFA in Microsoft 365 drastically reduces account-compromise risk. With well-configured Security Defaults or Conditional Access, you protect users, data, and reputation. Next, consider deploying FIDO2 keys for critical admins and complementing with Risk-Based Conditional Access and Endpoint Protection for a full Zero-Trust posture.

Need assistance? Cloud Fighters offers accelerated MFA deployment services and cloud-security advice.