Add users and assign licenses in Microsoft Defender for Business

As soon as you have signed up for Defender for Business, your first step is to add users and assign licenses. This article describes how to add users and assign licenses, and how to make sure multifactor authentication (MFA) is enabled.

Visual depicting step 2 - add users and assign licenses in Defender for Business.

Add users and assign licenses


You must be a global administrator to perform this task. The person who signed up your company for Microsoft 365 or for Defender for Business is a global administrator by default.

  1. Go to the Microsoft 365 admin center at and sign in.

  2. Go to Users > Active users, and then select Add a user.

  3. In the Set up the basics pane, fill in the basic user information, and then select Next.

    • Name: Fill in the first and last name, display name, and username.
    • Domain Choose the domain for the user's account. For example, if the user's username is Pat, and the domain is, they'll sign in by using
    • Password settings: Choose whether to use the autogenerated password or to create your own strong password for the user. The user must change their password after 90 days. Or you can choose the option to Require this user to change their password when they first sign in. You can also choose whether you want to send the user's password in email when the user is added.
  4. On the Assign product licenses page, select Defender for Business (or Microsoft 365 Business Premium). Then choose Next.

    If you don't have any licenses available, you can still add a user and buy additional licenses. For more information about adding users, see Add users and assign licenses at the same time.

  5. On the Optional settings page, you can expand Profile info and fill in details, such as the user's job title, department, location, and so forth. Then choose Next.

  6. On the Review and finish page, review the details, and then select Finish adding to add the user. If you need to make any changes, choose Back to go back to a previous page.

Make sure MFA is enabled

One good way to make sure MFA is enabled for all users is by using security defaults. If your tenant was created on or after October 22, 2019, security defaults might be enabled automatically in your tenant. Use the following procedure to confirm or enable security defaults.


You must be a security administrator, Conditional Access administrator, or Global Administrator to perform this task.

  1. Go to the Azure portal ( and sign in.

  2. Under Manage Azure Active Directory, select View.

    Screenshot showing the View button under the heading Manage Azure Active Directory.

  3. In the navigation pane, select Properties, and then select Manage security defaults.

    Screenshot showing Properties and Manage Security Defaults for Azure Active Directory.

  4. On the right side of the screen, in the Security defaults pane, see whether security defaults are turned on (Enabled) or off (Disabled). To turn security defaults on, use the drop-down menu to select Enabled.


    If your organization is using Conditional Access policies, you won't be able to enable security defaults. You'll see a message that indicates you're using classic policies instead. You can use either security defaults or Conditional Access, but not both. For most organizations, security defaults offer a good level of sign-in security. But if your organization must meet more stringent requirements, you can use Conditional Access policies instead. To learn more, see the following articles:

  5. Save your changes.

Next steps