Turn on multi-factor authentication

Multi-factor authentication (MFA) is a very important first step in securing your organization. Microsoft 365 Business Premium includes the option to use security defaults or Conditional Access policies to turn on MFA for your admins and user accounts. For most organizations, security defaults offer a good level of sign-in security. But if your organization must meet more stringent requirements, you can use Conditional Access policies instead.

This article provides information about:

• Security defaults (suitable for most businesses)
• Conditional Access (for businesses with more stringent security requirements)

Note

You can use either security defaults or Conditional Access policies, but you can't use both at the same time.

Security defaults

Security defaults

Security defaults were designed to help protect your company's user accounts from the start. When turned on, security defaults provide secure default settings that help keep your company safe by:

• Requiring all users and admins to register for MFA using the Microsoft Authenticator app or any third-party application using OATH TOTP.
• Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks.
• Disabling authentication from legacy authentication clients that can't do MFA.
• Protecting admins by requiring extra authentication every time they sign in.

MFA is an important first step in securing your company, and security defaults make enabling MFA easy to implement. If your subscription was created on or after October 22, 2019, security defaults might have been automatically enabled for you—you should check your settings to confirm.

Tip

For more information about security defaults and the policies they enforce, see Security defaults in Azure AD.

To enable security defaults (or confirm they're already enabled)

Important

You must be a Security Administrator, Conditional Access administrator, or Global Administrator to perform this task.

1. Go to the Azure portal (https://portal.azure.com/) and sign in.

2. Under Manage Azure Active Directory, select View.

   

3. In the navigation pane, select Properties, and then select Manage security defaults.

   

4. On the right side of the screen, in the Security defaults pane, see whether security defaults are turned on (Enabled) or off (Disabled). To turn security defaults on, use the drop-down menu to select Enabled.

5. Save your changes.

Conditional Access

Conditional Access

If your company or business has complex security requirements or you need more granular control over your security policies, then you should consider using Conditional Access instead of security defaults to achieve a similar or higher security posture.

Conditional Access lets you create and define policies that react to sign-in events and request additional actions before a user is granted access to an application or service. Conditional Access policies can be granular and specific, empowering users to be productive wherever and whenever, but also protecting your organization.

Security defaults are available to all customers, while Conditional Access requires one of the following plans:

• Azure Active Directory Premium P1 or P2
• Microsoft 365 Business Premium
• Microsoft 365 E3 or E5
• Enterprise Mobility & Security E3 or E5

If you want to use Conditional Access to configure policies, see the following step-by-step guides:

• Require MFA for administrators
• Require MFA for Azure management
• Block legacy authentication
• Require MFA for all users
• Require Azure AD MFA registration - Requires Azure AD Identity Protection, which is part of Azure Active Directory Premium P2

To learn more about Conditional Access, see What is Conditional Access? For more information about creating Conditional Access policies, see Create a Conditional Access policy.

Note

If you have a plan or license that provides Conditional Access but haven't yet created any Conditional Access policies, you're welcome to use security defaults. However, you'll need to turn off security defaults before you can use Conditional Access policies.

Next objective

Protect your administrator accounts in Microsoft 365 Business Premium