Turn on multifactor authentication in Microsoft 365 Business Premium

Multifactor authentication (MFA) is a critical first step in securing your organization. Microsoft 365 Business Premium includes the option to use security defaults or Conditional Access policies to turn on MFA for your admins and user accounts. For most organizations, security defaults offer a good level of sign-in security. But if your organization must meet more stringent requirements, you can use Conditional Access policies instead.

This article provides information about:

  • Security defaults (suitable for most businesses)
  • Conditional Access (for businesses with more stringent security requirements)


You can use either security defaults or Conditional Access policies, but you can't use both at the same time.

Security defaults

Security defaults were designed to help protect your company's user accounts from the start. When turned on, security defaults provide secure default settings that help keep your company safe by:

  • Requiring all users and admins to register for MFA using the Microsoft Authenticator app or any third-party application using OATH TOTP.
  • Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks.
  • Disabling authentication from legacy authentication clients that can't do MFA.
  • Protecting admins by requiring extra authentication every time they sign in.

MFA is an important first step in securing your company, and security defaults make enabling MFA easy to implement. If your subscription was created on or after October 22, 2019, security defaults might have been automatically enabled for you—you should check your settings to confirm.


For more information about security defaults and the policies they enforce, see Security defaults in Microsoft Entra ID.

To enable security defaults (or confirm they're already enabled)

  1. Sign in to the Microsoft Entra admin center as least a Security Administrator.

  2. Browse to Identity > Overview > Properties.

  3. Select Manage security defaults.

  4. Set Security defaults to Enabled.

  5. Select Save.


    If your organization is using Conditional Access, security defaults are disabled. You can use either security defaults or Conditional Access, but not both at the same time.

Next step

Protect your administrator accounts in Microsoft 365 Business Premium