Set up multi-factor authentication

Based on your understanding of multi-factor authentication (MFA) and its support in Microsoft 365, it’s time to set it up and roll it out to your organization.

Before you begin, determine if these special conditions apply to you and take the appropriate action:

All other users will be asked to perform additional authentication when needed. For more information, please visit Two-factor verification method and settings.

=======

Step 1: Decide on the method of requiring your users to use MFA

Note

You must be a global admin to set up or modify MFA. There are three ways to require your users to use MFA for sign-ins. See MFA support in Microsoft 365 for the details.

  • Security defaults (recommended for small businesses)

    If you purchased your subscription or trial after October 21, 2019, and you're unexpectedly prompted for MFA, security defaults have been automatically enabled for your subscription.

    Every new Microsoft 365 subscription will automatically have security defaults turned on. This means that every user will have to set up MFA and install the Microsoft Authenticator app on their mobile device.

    All users must use the Microsoft Authenticator app as their additional verification method and legacy authentication is blocked.

  • Conditional Access policies (recommended for enterprises)

    Users choose the additional verification method during MFA registration.

  • Per-user account (not recommended)

    Users choose the additional verification method during MFA registration.

Step 2. Test MFA on your pilot users

If you are using Conditional Access policies or per-user MFA (not recommended), select pilot users in your business or organization to test MFA registration and sign-ins. For example:

  • For Conditional Access policies, create a pilot users group and a policy that requires MFA for the members of the group and for all apps. Then, add your pilot user’s accounts to the group.

  • For per-user MFA, enable MFA for the user accounts of your pilot users one a time.

Work with your pilot users to address questions and issues to prepare for a smooth roll out to your organization.

Step 3. Inform your organization that MFA is coming

Use email notifications, hallway posters, team meetings, or formal training to ensure that your employees understand:

Most importantly, make sure your employees understand when the MFA requirement is going to be imposed so that it does not surprise them.

Step 4. Roll out the MFA requirement to your organization or users

Based on your chosen MFA requirement method, roll out MFA authentication to the employees beyond your pilot testers.

Security defaults

You enable or disable security defaults from the Properties pane for Azure Active Directory (Azure AD) in the Azure portal.

  1. Sign in to the Microsoft 365 admin center with global admin credentials.
  2. Go to the Azure Active Directory - Properties page.
  3. At the bottom of the page, choose Manage Security defaults.
  4. Choose Yes to enable security defaults and No to disable security defaults, and then choose Save.

If you have been using baseline Conditional Access policies, here is how you move to using security defaults.

  1. Go to the Conditional Access - Policies page.
  2. Choose each baseline policy that is On and set Enable policy to Off.
  3. Go to the Azure Active Directory - Properties page.
  4. At the bottom of the page, choose Manage Security defaults.
  5. Choose Yes to enable security defaults and No to disable security defaults, and then choose Save.

Conditional Access policies

Create, configure, and enable the appropriate policies that include the group of users that require MFA for sign-in.

Enable user accounts for MFA corresponding to your rollout.

Supporting your employees

As your employees register and begin signing in with MFA, ensure that your IT specialists, IT department, or helpdesk can answer questions and address issues quickly.

See this article for information about troubleshooting MFA sign-ins.