Set up multi-factor authentication

Every new Office 365 for business or Microsoft 365 Business subscription will automatically have security defaults turned on. This means that every user will have to set up multi-factor authentication (MFA) and install the Authenticator app on their mobile device. For more information, see Set up 2-step verification for Office 365.

The following nine administrator roles will be required to perform additional authentication every time they sign in:

  • Global administrator
  • SharePoint administrator
  • Exchange administrator
  • Conditional Access administrator
  • Security administrator
  • Helpdesk administrator or password administrator
  • Billing administrator
  • User administrator
  • Authentication administrator

All other users will be asked to perform additional authentication when needed. For more information, see What are security defaults?

Note

You must be an Office 365 global admin to set up or modify multi-factor authentication.

If you're not using the new Microsoft 365 admin center, you can turn it on by selecting the Try the new admin center toggle located at the top of the Home page.

If you have previously set up MFA with baseline policies, you must turn them off and turn on security defaults. However, if you have Microsoft 365 Business or your subscription includes Azure Active Directory Premium 1, or Azure Active Directory Premium 2, you can also set up conditional access policies. To use conditonal access policies, you need to make sure modern authentication is enabled.

Manage security defaults

  1. Sign in to admin center with your Global admin credentials.

  2. Go to Azure Active Directory Properties.

  3. On the bottom of the page, choose Manage Security defaults.

Move from baseline policies to security defaults

  1. In the admin center, select Setup.

  2. Next to Sign-in and security, under Make sign-in more secure, select View.

  3. Under Make sign-in more secure, select Manage.

  4. On the Azure portal Conditional Access - Policies page, choose each Baseline policy that is On, and set them to Off.

  5. Go to Azure Active Directory Properties page.

  6. On the bottom of the page, choose Manage Security defaults, and in the Enable Security defaults pane, set Enable Security defaults toggle to Yes.

Enable multi-factor authentication for your organization

All Office 2016 client applications support MFA through the use of the Active Directory Authentication Library (ADAL). This means that app passwords aren't required for Office 2016 clients. However, you need to make sure your Office 365 subscription is enabled for ADAL, or modern authentication.

  1. To enable modern authentication, from the admin center, select Settings > Services & add-ins and then choose Modern authentication from the list.

  2. Check the Enable modern authentication box in the Modern authentication panel.

    Modern authentication panel with enable checkbox checked.

Important

As of August of 2017, all new Office 365 tenants that include Skype for Business online and Exchange online have Modern Authentication enabled by default. Pre-existing tenants won't have a change in their default MA state. To check your MA status for Skype for Business online, you can use Skype for Business online PowerShell with Global Admin credentials. Run Get-CsOAuthConfiguration to check the output of -ClientADALAuthOverride. If -ClientADALAuthOverride is 'Allowed', your Modern Authentication is on. To check your MA status for Exchange Online, please visit Enable modern authentication in Exchange Online.

Top 10 ways to secure Office 365 and Microsoft 365 Business plans

Enable Modern Authentication for Office 2013 on Windows devices