Enabling MFA across your Microsoft 365 tenant is one of the single most impactful security changes you can make. Microsoft reports that MFA blocks over 99% of automated account attacks. A stolen password alone is not enough if the attacker also needs a second factor from a device the user controls.
There are three ways to enable MFA in Microsoft 365 - Security Defaults, per-user MFA, and Conditional Access. Which one you use depends on your licence and how much control you need.
The Three Methods Compared
📈 Overview| Method | Licence needed | Granularity | Recommended |
|---|---|---|---|
| Security Defaults | Any M365 plan | All or nothing | Small orgs, no Entra P1 |
| Per-user MFA | Any M365 plan | Per user | Legacy fallback only |
| Conditional Access | Entra ID P1+ | Full control | Yes, for most orgs |
Option 1: Security Defaults
🛠️ Security DefaultsSecurity Defaults are a set of pre-configured baseline security settings Microsoft enables for new tenants. When turned on, all users are required to register for MFA within 14 days and must complete MFA when signing in. Admins are always required to MFA.
Toggle Security defaults to Enabled and save. All users will see a prompt to register MFA on their next sign-in.
Option 2: Per-User MFA
👤 Per-User MFAPer-user MFA lets you enable MFA for specific accounts individually. It was the original MFA method in Microsoft 365 and is now largely superseded by Conditional Access, but remains available.
Select users, then click Enable. Users in Enabled state are prompted to register but have not done so yet. Users in Enforced state must complete MFA before accessing any app.
Option 3: Conditional Access (Recommended)
✅ Best PracticeFor any tenant with Microsoft 365 Business Premium, E3, or E5, Conditional Access is the right approach. Create a policy that requires MFA for all users on all cloud apps. See the Conditional Access setup guide for the full walkthrough.
The key advantage over the other methods: Conditional Access policies can be scoped, can use risk signals, can require compliant devices, and can be put in report-only mode for testing before enforcement.
Getting Users Registered
👤 RegistrationBefore enforcing MFA, push a registration campaign so users are not surprised at the sign-in screen on a critical deadline day. Run a registration campaign from:
This shows a registration prompt on sign-in with a configurable snooze period (1, 3, 7 or 14 days). Set a snooze limit so users cannot defer indefinitely. Give a week's notice by email before enabling MFA enforcement so the helpdesk is not overwhelmed on day one.