How to require two-step verification for a user or group

You can take one of two approaches for requiring two-step verification. The first option is to enable each user for Azure Multi-Factor Authentication (MFA). When users are enabled individually, they perform two-step verification each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remembered devices feature is turned on). The second option is to set up a conditional access policy that requires two-step verification under certain conditions.


Choose one of these methods to require two-step verification, not both. Enabling a user for Azure Multi-Factor Authentication overrides any conditional access policies.

Which option is right for you?

Enabling Azure Multi-Factor Authentication by changing user states is the traditional approach for requiring two-step verification. It works for both Azure MFA in the cloud and Azure MFA Server. All users that you enable perform two-step verification every time they sign in. Enabling a user overrides any conditional access policies that might affect that user.

Enabling Azure Multi-Factor Authentication with a conditional access policy is a more flexible approach for requiring two-step verification. It only works for Azure MFA in the cloud, though, and conditional access is a paid feature of Azure Active Directory. You can create conditional access policies that apply to groups as well as individual users. High-risk groups can be given more restrictions than low-risk groups, or two-step verification can be required only for high-risk cloud apps and skipped for low-risk ones.

Both options prompt users to register for Azure Multi-Factor Authentication the first time they sign in after the requirements turn on. Both options also work with the configurable Azure Multi-Factor Authentication settings.

Enable Azure MFA by changing user status

User accounts in Azure Multi-Factor Authentication have the following three distinct states:

Status Description Non-browser apps affected Browser apps affected Modern authentication affected
Disabled The default state for a new user not enrolled in Azure MFA. No No No
Enabled The user has been enrolled in Azure MFA, but has not registered. They receive a prompt to register the next time they sign in. No. They continue to work until the registration process is completed. Yes. After the session expires, Azure MFA registration is required. Yes. After the access token expires, Azure MFA registration is required.
Enforced The user has been enrolled and has completed the registration process for Azure MFA. Yes. Apps require app passwords. Yes. Azure MFA is required at login. Yes. Azure MFA is required at login.

A user's state reflects whether an admin has enrolled them in Azure MFA, and whether they completed the registration process.

All users start out Disabled. When you enroll users in Azure MFA, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced.

View the status for a user

Use the following steps to access the page where you can view and manage user states:

  1. Sign in to the Azure portal as an administrator.
  2. Go to Azure Active Directory > Users and groups > All users.
  3. Select Multi-Factor Authentication. Select Multi-Factor Authentication
  4. A new page that displays the user states opens. multi-factor authentication user status - screenshot

Change the status for a user

  1. Use the preceding steps to get to the Azure Multi-Factor Authentication users page.
  2. Find the user you want to enable for Azure MFA. You might need to change the view at the top. Find user - screenshot
  3. Check the box next to their name.
  4. On the right, under quick steps, choose Enable or Disable. Enable selected user - screenshot


    Enabled users are automatically switched to Enforced when they register for Azure MFA. Do not manually change the user state to Enforced.

  5. Confirm your selection in the pop-up window that opens.

After you enable users, notify them via email. Tell them that they'll be asked to register the next time they sign in. Also, if your organization uses non-browser apps that don't support modern authentication, they need to create app passwords. You can also include a link to the Azure MFA end-user guide to help them get started.

Use PowerShell

To change the user state by using Azure AD PowerShell, change $st.State. There are three possible states:

  • Enabled
  • Enforced
  • Disabled

Don't move users directly to the Enforced state. If you do, non-browser-based apps stop working because the user has not gone through Azure MFA registration and obtained an app password.

Using PowerShell is a good option when you need to bulk enabling users. Create a PowerShell script that loops through a list of users and enables them:

    $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $st.RelyingParty = "*"
    $st.State = “Enabled”
    $sta = @($st)
    Set-MsolUser -UserPrincipalName -StrongAuthenticationRequirements $sta

The following script is an example:

$users = "","",""
foreach ($user in $users)
    $st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $st.RelyingParty = "*"
    $st.State = “Enabled”
    $sta = @($st)
    Set-MsolUser -UserPrincipalName $user -StrongAuthenticationRequirements $sta

Enable Azure MFA with a conditional access policy

Conditional access is a paid feature of Azure Active Directory, with many configuration options. These steps walk through one way to create a policy. For more information, read about Conditional Access in Azure Active Directory.

  1. Sign in to the Azure portal as an administrator.
  2. Go to Azure Active Directory > Conditional access.
  3. Select New policy.
  4. Under Assignments, select Users and groups. Use the Include and Exclude tabs to specify which users and groups the policy manages.
  5. Under Assignments, select Cloud apps. Choose to include All cloud apps.
  6. Under Access controls, select Grant. Choose Require multi-factor authentication.
  7. Turn Enable policy to On, and then select Save.

The other options in the conditional access policy give you the ability to specify exactly when two-step verification is required. For example, you can make a policy such as this one: When contractors try to access our procurement app from untrusted networks on devices that are not domain-joined, require two-step verification.

Next steps