Require multi-factor authentication and set up conditional access policies

You protect access to your data with multi-factor authentication and conditional access policies. These add substantial additional security. Microsoft provides a set of baseline conditional access policies that are recommended for all customers. Baseline policies are a set of predefined policies that help protect organizations against many common attacks. These common attacks can include password spray, replay, and phishing.

These policies require admins and users to enter a second form of authentication (called multi-factor authentication, or MFA) when certain conditions are met. For example, if a user in your organization tries to sign in to Microsoft 365 from a different country or from an unknown device, the sign-in might be considered risky. The user must provide an extra form of authentication (such as a fingerprint or a code) to prove their identity.

Currently, baseline policies include the following:

  • Set up in Microsoft 365 admin center:
    • Require MFA for admins — Requires multi-factor authentication for the most privileged administrator roles, including global administrator.
    • End user protection — Requires multi-factor authentication for users only when a sign-in is risky.
  • Set up in Azure Active Directory portal:
    • Block legacy authentication — Older client apps and some new apps don't use newer, more secure, authentication protocols. These older apps can bypass conditional access policies and gain unauthorized access to your environment. This policy blocks access from clients that don't support conditional access.
    • Require MFA for Service Management — Requires multi-factor authentication for access to management tools, including Azure portal (where you configure baseline policies).

Microsoft recommends that you enable all of these baseline policies. After these policies are enabled, admins and users will be prompted to register for Azure Multi-Factor authentication.

For more information about these policies, see What are baseline policies?

Require MFA

To require that all users sign in with a second form of ID:

  1. Go to the admin center at https://admin.microsoft.com and choose Setup.

  2. On the Setup page, choose View in the Make sign-in more secure card.

    Make sign-in more secure card.

  3. On the Make sign-in more secure page, choose Get started.

  4. On the Strengthen sign-in security pane, select the check boxes next to Require multi-factor authentication for admins and Require users to register for multi-factor authentication and block access if risk is detected. Be sure to exclude the emergency or "break-glass" admin account from the MFA requirement in the Find users box.

    Strengthen sing-in security page.

  5. Choose Create policy on the bottom of the page.

Set up baseline policies

  1. Go to Azure portal, and then navigate to Azure Active Directory > Conditional Access.

    The baseline policies are listed on the page, and you can see that Require MFA for admins and End user protection are already enabled after you completed the steps in require MFA.

    Page that lists baseline policies for conditional access.

  2. See the following specific instructions for each policy:

You can set up extra policies, such as requiring approved client apps. For more information, see the Conditional Access documentation.