Step 1. Increase sign-in security for remote workers with MFA

To increase the security of sign-ins of your remote workers, use multi-factor authentication (MFA). MFA requires that user sign-ins be subject to an additional verification beyond the user account password. Even if a malicious user determines a user account password, they must also be able to respond to an additional verification, such as a text message sent to a smartphone before access is granted.

The correct password plus an additional verification results in a successful sign-in

For all users, including remote workers and especially admins, Microsoft strongly recommends MFA.

There are three ways to require your users to use MFA based on your Microsoft 365 plan.

Plan Recommendation
All Microsoft 365 plans (without Azure AD Premium P1 or P2 licenses) Enable Security defaults in Azure AD. Security defaults in Azure AD include MFA for users and administrators.
Microsoft 365 E3 (includes Azure AD Premium P1 licenses) Use Common Conditional Access policies to configure the following policies:
- Require MFA for administrators
- Require MFA for all users
- Block legacy authentication
Microsoft 365 E5 (includes Azure AD Premium P2 licenses) Taking advantage of Azure AD Identity Protection, begin to implement Microsoft's recommended set of Conditional Access and related policies by creating these policies:
- Require MFA when sign-in risk is medium or high
- Block clients that don't support modern authentication
- High risk users must change password

Security defaults

Security defaults is a new feature for Microsoft 365 and Office 365 paid or trial subscriptions created after October 21, 2019. These subscriptions have security defaults turned on, which requires all of your users to use MFA with the Microsoft Authenticator app.

Users have 14 days to register for MFA with the Microsoft Authenticator app from their smart phones, which begins from the first time they sign in after security defaults has been enabled. After 14 days have passed, the user won't be able to sign in until MFA registration is completed.

Security defaults ensure that all organizations have a basic level of security for user sign-in that is enabled by default. You can disable security defaults in favor of MFA with Conditional Access policies or for individual accounts.

For more information, see this overview of security defaults.

Conditional Access policies

Conditional Access policies are a set of rules that specify the conditions under which sign-ins are evaluated and allowed. For example, you can create a Conditional Access policy that states:

  • If the user account name is a member of a group for users that are assigned the Exchange, user, password, security, SharePoint, or global administrator roles, require MFA before allowing access.

This policy allows you to require MFA based on group membership, rather than trying to configure individual user accounts for MFA when they are assigned or unassigned from these administrator roles.

You can also use Conditional Access policies for more advanced capabilities, such as requiring that the sign-in is done from a compliant device, such as your laptop running Windows 10.

Conditional Access requires Azure AD Premium P1 licenses, which are included with Microsoft 365 E3 and E5.

For more information, see this overview of Conditional Access.

Azure AD Identity Protection support

With Azure AD Identity Protection, you can create an additional Conditional Access policy that states:

  • If the risk of the sign-in is determined to be medium or high, require MFA.

Azure AD Identity Protection requires Azure AD Premium P2 licenses, which are included with Microsoft 365 E5.

For more information, see Risk-based Conditional Access.

With Azure AD Identity Protection, you can also create a policy to require your users to register for MFA. For more information, see Configure the Azure AD Multi-Factor Authentication registration policy

Using these methods together

Keep the following in mind:

  • You cannot enable security defaults if you have any Conditional Access policies enabled.
  • You cannot enable any Conditional Access policies if you have security defaults enabled.

If security defaults are enabled, all new users are prompted for MFA registration and the use of the Microsoft Authenticator app.

This table shows the results of enabling MFA with security defaults and Conditional Access policies.

Method Enabled Disabled Additional authentication method
Security defaults Can’t use Conditional Access policies Can use Conditional Access policies Microsoft Authenticator app
Conditional Access policies If any are enabled, you can’t enable security defaults If all are disabled, you can enable security defaults User specifies during MFA registration

Let your users reset their own passwords

Self-Service Password Reset (SSPR) enables users to reset their own passwords without impacting IT staff. Users can quickly reset their passwords at any time and from any place. For more information, see Plan an Azure AD self-service password reset deployment.

Sign in to SaaS apps with Azure AD

In addition to providing cloud authentication for users, Azure AD can also be your central way to secure all your apps, whether they’re on-premises, in Microsoft’s cloud, or in another cloud. By integrating your apps into Azure AD, you can make it easy for remote workers to discover the applications they need and sign into them securely.

Admin technical resources for MFA and identity

Results of Step 1

After deployment of MFA, your users:

  • Are required to use MFA for sign-ins.
  • Have completed the MFA registration process and are using MFA for all sign-ins.
  • Can use SSPR to reset their own passwords.

Next step

Step 2: Provide remote access to on-premises apps and services

Continue with Step 2 to provide remote access to on-premises apps and services.