Turn on multi-factor authentication

Multi-factor authentication (MFA) is a very important first step in securing your organization. Microsoft 365 Business Premium includes the option to use security defaults or Conditional Access policies to turn on MFA for your admins and user accounts. For most organizations, security defaults offer a good level of sign-in security. But if your organization must meet more stringent requirements, you can use Conditional Access policies instead.

This article provides information about:

  • Security defaults (suitable for most businesses)
  • Conditional Access (for businesses with more stringent security requirements)


You can use either security defaults or Conditional Access policies, but you can't use both at the same time.

Security defaults

Security defaults were designed to help protect your company's user accounts from the start. When turned on, security defaults provide secure default settings that help keep your company safe by:

  • Requiring all users and admins to register for MFA using the Microsoft Authenticator app or any third-party application using OATH TOTP.
  • Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks.
  • Disabling authentication from legacy authentication clients that can't do MFA.
  • Protecting admins by requiring extra authentication every time they sign in.

MFA is an important first step in securing your company, and security defaults make enabling MFA easy to implement. If your subscription was created on or after October 22, 2019, security defaults might have been automatically enabled for you—you should check your settings to confirm.


For more information about security defaults and the policies they enforce, see Security defaults in Azure AD.

To enable security defaults (or confirm they're already enabled)


You must be a Security Administrator, Conditional Access administrator, or Global Administrator to perform this task.

  1. Go to the Azure portal (https://portal.azure.com/) and sign in.

  2. Under Manage Azure Active Directory, select View.

    Screenshot showing the VIew button under Manage Azure Active Directory.

  3. In the navigation pane, select Properties, and then select Manage security defaults.

    Screenshot showing Properties and Manage Security Defaults for Azure Active Directory.

  4. On the right side of the screen, in the Security defaults pane, see whether security defaults are turned on (Enabled) or off (Disabled). To turn security defaults on, use the drop-down menu to select Enabled.

  5. Save your changes.

Next objective

Protect your administrator accounts in Microsoft 365 Business Premium