How to Set up Mandatory MFA for Microsoft 365 Admin Center

Starting February 3rd, 2025, Microsoft will require multifactor authentication (MFA) for all users accessing the Microsoft 365 admin center. This follows the MFA requirement already enforced for other admin centers like Azure, Microsoft Entra, and Microsoft Intune.

This change is part of Microsoft’s ongoing efforts to strengthen security across its platforms. As an admin, it’s essential to get your organization ready to comply with this new security measure.

Why Is MFA Essential for Microsoft 365 Security?

Multifactor authentication (MFA) is a security protocol requiring two or more verification methods to confirm a user's identity. These methods typically include:

• Passwords or PINs
• Security keys or mobile phones
• Biometric data like fingerprints or facial recognition

MFA dramatically reduces the chances of account compromise by over 99%, making it a critical tool for safeguarding sensitive admin accounts and business data in Microsoft 365.

How to Set up MFA in Microsoft 365?

Follow these steps to enable MFA for your organization.

Enable Security Default MFA

Enabling Security Default MFA in Microsoft 365 is an important step because it helps protect your organization from common identity-based threats like password spray attacks and phishing. By turning on Security Defaults, you're ensuring that Multi-Factor Authentication is required for all users, which adds an extra layer of protection beyond just passwords.

Security defaults forces MFA across your organization without requiring manual configuration for each user or group, making security setup easier.

• Sign in to the Microsoft Entra admin center.
• Navigate to Identity > Overview > Properties.
• Select Manage security defaults.
• Toggle Security defaults to Enabled.
• Click Save.

Note: Microsoft’s Security Defaults are enabled by default for tenants created after October 22, 2019.

Configure MFA Using Conditional Access Policies

While Security Default MFA provides a simple and effective way to enable Multi-Factor Authentication (MFA) for all users in Microsoft 365, Conditional Access offers more flexibility and control over when and how MFA is applied.

Using Conditional Access MFA allows you to:

• Apply MFA based on specific conditions like user risk, location, device compliance, or app sensitivity.
• Exempt certain users or groups from MFA, based on specific needs.
• Set up complex security scenarios, such as MFA for specific roles or tasks.
• Choose different MFA methods (e.g., app notification, text message) and enforce stricter methods for critical roles.
• Apply stronger MFA for sensitive roles (e.g., administrators) to ensure extra protection.

Turn off Per-User MFA:

Older methods like Per-User MFA allow admins to enable MFA individually for each user. However, using Per-User MFA can result in inconsistent experiences, especially when combined with security defaults or Conditional Access policies.

Microsoft recommends disabling Per-User MFA in favor of Security Defaults or Conditional Access for a streamlined, more effective security approach.

To turn off per-user MFA in Microsoft 365,

• Go to Users > Active Users in the Microsoft 365 admin center.
• Select the user and click on Multifactor Authentication.
• Set MFA status for each user to Disabled.

Points to Remember:

1. For organizations using third-party MFA solutions integrated with Microsoft Entra ID, ensure external authentication methods are properly configured to meet compliance requirements.
2. Even emergency access accounts must comply with MFA. Microsoft recommends using passkeys (FIDO2) or certificate-based authentication for these accounts.
3. If users have not registered for MFA methods, they will be prompted to set them up during login attempts.
4. Global admins can request extensions for MFA enforcement via the Azure portal. This extension applies across all admin portals, including Microsoft Entra, Microsoft Intune, and Microsoft 365.

Closing Lines

Enabling multifactor authentication (MFA) is a vital step in protecting your organization’s data and ensuring secure access to Microsoft 365. As Microsoft continues to strengthen its security measures, adopting MFA not only helps prevent unauthorized access but also ensures compliance with evolving security standards. Taking the necessary steps now to enable MFA will help safeguard your digital infrastructure and provide peace of mind for both admins and users alike.