Step 1. Increase sign-in security for hybrid workers with MFA

To increase the security of sign-ins of your hybrid workers, use multifactor authentication (MFA). MFA requires that user sign-ins be subject to an additional verification beyond the user account password. Even if a malicious user determines a user account password, they must also be able to respond to an additional verification, such as a text message sent to a smartphone before access is granted.

The correct password plus an additional verification results in a successful sign-in.

For all users, including hybrid workers and especially admins, Microsoft strongly recommends MFA.

There are three ways to require your users to use MFA based on your Microsoft 365 plan.

Plan Recommendation
All Microsoft 365 plans (without Microsoft Entra ID P1 or P2 licenses) Enable Security defaults in Microsoft Entra ID. Security defaults in Microsoft Entra ID include MFA for users and administrators.
Microsoft 365 E3 (includes Microsoft Entra ID P1 licenses) Use Common Conditional Access policies to configure the following policies:
- Require MFA for administrators
- Require MFA for all users
- Block legacy authentication
Microsoft 365 E5 (includes Microsoft Entra ID P2 licenses) Taking advantage of feature in Microsoft Entra ID, begin to implement Microsoft's recommended set of Conditional Access and related policies like:
- Requiring MFA when sign-in risk is medium or high.
- Blocking clients that don't support modern authentication.
- Requiring high risk users change their password.

Security defaults

Security defaults is a new feature for Microsoft 365 and Office 365 paid or trial subscriptions created after October 21, 2019. These subscriptions have security defaults turned on, which requires all of your users to use MFA with the Microsoft Authenticator app.

Users have 14 days to register for MFA with the Microsoft Authenticator app from their smart phones, which begins from the first time they sign in after security defaults has been enabled. After 14 days have passed, the user won't be able to sign in until MFA registration is completed.

Security defaults ensure that all organizations have a basic level of security for user sign-in that is enabled by default. You can disable security defaults in favor of MFA with Conditional Access policies or for individual accounts.

For more information, see this overview of security defaults.

Conditional Access policies

Conditional Access policies are a set of rules that specify the conditions under which sign-ins are evaluated and allowed. For example, you can create a Conditional Access policy that states:

  • If the user account name is a member of a group for users that are assigned the Exchange, user, password, security, SharePoint, or global administrator roles, require MFA before allowing access.

This policy allows you to require MFA based on group membership, rather than trying to configure individual user accounts for MFA when they are assigned or unassigned from these administrator roles.

You can also use Conditional Access policies for more advanced capabilities, such as requiring that the sign-in is done from a compliant device, such as your laptop running Windows 11 or 10.

Conditional Access requires Microsoft Entra ID P1 licenses, which are included with Microsoft 365 E3 and E5.

For more information, see this overview of Conditional Access.

Microsoft Entra ID Protection support

With Microsoft Entra ID Protection, you can create an additional Conditional Access policy that states:

  • If the risk of the sign-in is determined to be medium or high, require MFA.

Microsoft Entra ID Protection requires Microsoft Entra ID P2 licenses, which are included with Microsoft 365 E5.

For more information, see Risk-based Conditional Access.

With Microsoft Entra ID Protection, you can also create a policy to require your users to register for MFA. For more information, see Configure the Microsoft Entra multifactor authentication registration policy

Using these methods together

Keep the following in mind:

  • You cannot enable security defaults if you have any Conditional Access policies enabled.
  • You cannot enable any Conditional Access policies if you have security defaults enabled.

If security defaults are enabled, all new users are prompted for MFA registration and the use of the Microsoft Authenticator app.

This table shows the results of enabling MFA with security defaults and Conditional Access policies.

Method Enabled Disabled Additional authentication method
Security defaults Can’t use Conditional Access policies Can use Conditional Access policies Microsoft Authenticator app
Conditional Access policies If any are enabled, you can’t enable security defaults If all are disabled, you can enable security defaults User specifies during MFA registration

Let your users reset their own passwords

Self-Service Password Reset (SSPR) enables users to reset their own passwords without impacting IT staff. Users can quickly reset their passwords at any time and from any place. For more information, see Plan a Microsoft Entra self-service password reset deployment.

Sign in to SaaS apps with Microsoft Entra ID

In addition to providing cloud authentication for users, Microsoft Entra ID can also be your central way to secure all your apps, whether they’re on-premises, in Microsoft’s cloud, or in another cloud. By integrating your apps into Microsoft Entra ID, you can make it easy for hybrid workers to discover the applications they need and sign into them securely.

Admin technical resources for MFA and identity

Results of Step 1

After deployment of MFA, your users:

  • Are required to use MFA for sign-ins.
  • Have completed the MFA registration process and are using MFA for all sign-ins.
  • Can use SSPR to reset their own passwords.

Next step

Step 2: Provide remote access to on-premises apps and services.

Continue with Step 2 to provide remote access to on-premises apps and services.