Multi-factor authentication

Multi-factor authentication (MFA) is a very important first step in securing your organization. Microsoft 365 Business Premium includes the option to use security defaults or Conditional Access policies to turn on MFA for your admins and user accounts. For most organizations, security defaults offer a good level of sign-in security. But if your organization must meet more stringent requirements, you can use Conditional Access policies instead.

This article provides information about:

  • Security defaults (suitable for most businesses)
  • Conditional Access (for businesses with more stringent security requirements)


You can use either security defaults or Conditional Access policies, but you can't use both at the same time.

Security defaults

Security defaults were designed to help protect your company's user accounts from the start. When turned on, security defaults provide secure default settings that help keep your company safe by:

  • Requiring all users and admins to register for MFA using the Microsoft Authenticator app or any third-party application using OATH TOTP.
  • Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks.
  • Disabling authentication from legacy authentication clients that can't do MFA.
  • Protecting admins by requiring extra authentication every time they sign in.

MFA is an important first step in securing your company, and security defaults make enabling MFA easy to implement. If your subscription was created on or after October 22, 2019, security defaults might have been automatically enabled for you—you should check your settings to confirm.


For more information about security defaults and the policies they enforce, see What are security defaults?

To enable security defaults (or confirm they're already enabled)

  1. Sign in to the Microsoft 365 admin center with security administrator, Conditional Access administrator, or Global admin credentials.

  2. In the left pane, select Show All, and then under Admin centers, select Azure Active Directory.

  3. In the left pane of the Azure Active Directory admin center, select Azure Active Directory.

  4. From the left menu of the Dashboard, in the Manage section, select Properties.

    Screenshot of the Azure Active Directory admin center showing the location of the Properties menu item.

  5. At the bottom of the Properties page, select Manage Security defaults.

  6. In the right pane, you'll see the Enable Security defaults setting. If Yes is selected, then security defaults are already enabled and no further action is required. If security defaults are not currently enabled, then select Yes to enable them, and then select Save.

Next objective

Protect your administrator accounts in Microsoft 365 Business Premium