Set up multi-factor authentication

This article describes how to set up multi-factor authentication (MFA) for Office 365 users. For more information about MFA, see How Azure multi-factor authentication works.

You get a free version of Azure multi-factor authentication as part of your Office 365 for business subscription. For a list of features included in your version of Office 365, see How to get Azure Multi-Factor Authentication.

Note

You must be an Office 365 global admin to set up or modify multi-factor authentication.

If you're not using the new Microsoft 365 admin center, you can turn it on by selecting the Try the new admin center toggle located at the top of the Home page.

Enable multi-factor authentication for your organization

All Office 2016 client applications support MFA through the use of the Active Directory Authentication Library (ADAL). This means that app passwords aren't required for Office 2016 clients. However, you need to make sure your Office 365 subscription is enabled for ADAL, or modern authentication.

  1. To enable modern authentication, from the admin center, select Settings > Services & add-ins and then choose Modern authentication from the list.

  2. Check the Enable modern authentication box in the Modern authentication panel.

    Modern authentication panel with enable checkbox checked.

Important

As of August of 2017, all new Office 365 tenants that include Skype for Business online and Exchange online have Modern Authentication enabled by default. Pre-existing tenants won't have a change in their default MA state. To check your MA status for Skype for Business online, you can use Skype for Business online PowerShell with Global Admin credentials. Run Get-CsOAuthConfiguration to check the output of -ClientADALAuthOverride. If -ClientADALAuthOverride is 'Allowed', your Modern Authentication is on. To check your MA status for Exchange Online, please visit Enable modern authentication in Exchange Online. In SharePoint online, by default, modern authentication is enabled.

Set up multi-factor authentication

  1. In the admin center, select Setup.

  2. Next to Sign-in and security, under Make sign-in more secure, select View.

  3. On the Make sign-in more secure page, select Get started.

  4. Select the Require multi-factor authentication and Require users to register for multi-factor authentication and block access if risk is detected check boxes.

  5. Under Do you want to exclude anyone from these policies, select any users that you want to exclude from the drop-down list box.

  6. Select Create policy. You will return to the Make sign-in more secure page, which will now say Completed.

After you set up multi-factor authentication for your organization, your users will be required to set up two-step verification on their devices. For more information, see Set up 2-step verification for Office 365.

Manage MFA settings

  1. In the admin center, select Setup.

  2. Next to Sign-in and security, under Make sign-in more secure, select View.

  3. Under Make sign-in more secure, select Manage.

  4. The Azure portal Conditional Access - Policies page will appear. To turn multi-factor authentication on or off:

    1. Select Baseline policy: End user protection (Preview), and turn the Enable toggle on or off.

    2. Select Baseline policy: Require MFA for admins (Preview), and turn the Enable toggle on or off.

    Note

    To exclude users from a policy, select specific users excluded > Select excluded users, select the users from the list, and then choose Select.

Top 10 ways to secure Office 365 and Microsoft 365 Business plans

Enable Modern Authentication for Office 2013 on Windows devices