Options for MFA for a small non-profit O365 tenant

Yorkshire Midge 0 Reputation points

Have a small non-profit tenant of around 100 users, and this includes the free version of Azure AD. Because the users are charity volunteers, MFA is desirable but implementing it has more challenges than a corporate environment. The forthcoming Security Defaults enabling by Microsoft has brought this matter back into focus.

Security Defaults does not appear to support MFA by text/call (unless you have set the app up, and then click a link that you can't currently use it when you login - where the text/call options are given by way of backup). I have a small number of users who potentially don't have a Smartphone (or may not want to use their own for this purpose), and one who doesn't use a mobile at all. But this number is so small, that it is not worth upgrading our AD at a cost of £thousands/pa to a paid for version.

We have some GUEST users too who are members of shared groups, and it is my understanding Security Defaults will be enforced on them too (can anyone confirm for certain?), and that could prove a challenge.

I'm thinking I have the following options:

  1. Decline to implement Security Defaults, and go for legacy-per-user MFA - but some articles suggest this isn't recommended but don't explain precisely why. Also, I can't find any indication whether the recently notified change "On 30 September 2024, the ability to manage authentication methods in the legacy multifactor authentication (MFA) and self-service password reset (SSPR) policies will be retired" means legacy-per-user MFA itself will be deprecated. Can anyone confirm?
  2. Implement Security Defaults and provide hardware OTP tokens for any exceptions. Does anyone have any recommendations for tokens that are cheap/reputable and work well with Azure AD?
  3. Implement Security Defaults and use something like Authy (rather the the Microsoft Authenticator App) for the exceptions where the user can run it on a Windows or MacOS machine, so there is no requirement for any mobile/smartphone. Tried this myself and it seems to work well.

Any advice appreciated.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,446 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Andy David - MVP 133.4K Reputation points MVP

    I would go with option 1:


    the per-user... Its not optimal or recommended simply because , well, its per-user :) and not by a policy that is easier to manage.

    the legacy methods you referenced are policies that need to be migrated, not the per-user MFA option, so you should be good there as well for now: