Evaluate multifactor authentication for your Microsoft 365 deployment


Multifactor authentication (MFA) is a method of authentication that requires the use of more than one verification method. By doing so, it adds a second layer of security to user sign-ins and transactions. MFA works by requiring any two or more of the following verification methods:

  • A randomly generated pass code
  • A phone call
  • A phone Short Message Service (SMS)
  • A smart card (virtual or physical)
  • A biometric device

Multifactor authentication in Microsoft 365

Microsoft 365 uses multifactor authentication to provide the extra security. MFA in Microsoft 365 is managed from the Microsoft 365 admin center. Microsoft 365 offers the following subset of Microsoft Entra multifactor authentication capabilities as a part of the subscription:

  • The ability to enable and enforce multifactor authentication for end users.
  • The use of a mobile app (online and one-time password [OTP]) as a second authentication factor.
  • The use of a phone call as a second authentication factor.
  • The use of a Short Message Service (SMS) message as a second authentication factor.
  • Application passwords for non-browser clients (for example, the Microsoft Lync 2013 communications software).
  • Default Microsoft greetings that are provided during authentication phone calls.

For the full list of added features, see Features and licenses for Microsoft Entra multifactor authentication. You can always get the full functionality by purchasing the Microsoft Entra multifactor authentication service.

Office device apps support multifactor authentication through the Microsoft Authentication Library (MSAL).


All apps using the older Azure Active Directory Authentication Library (ADAL) should be migrated to MSAL. Microsoft support and development for ADAL, including security fixes, ends in June 2023. If you choose not to migrate to MSAL before ADAL support ends in June 2023, you put your apps' security at risk. Existing apps that use ADAL will continue to work after the end-of-support date, but Microsoft will no longer release security fixes on ADAL.

Organizations get a different subset of capabilities depending on whether they have a cloud-only deployment for Microsoft 365 or a hybrid setup with single sign-on and Active Directory Federation Services (AD FS).

Where do you manage your Microsoft 365 tenant?

MFA second factor options

Cloud only

Microsoft Entra multifactor authentication (text, phone call, or App)

Hybrid setup, managed on-premises

If you manage user identity on-premises, you have the following choices:

Knowledge check

Choose the best response for the following question. Then select “Check your answers.”

Check your knowledge


You're the Enterprise Administrator for Tailspin Toys, Inc. Your company’s Microsoft 365 tenant is deployed in a Cloud Only environment. You're interested in enabling Microsoft Entra multifactor authentication (MFA). Which of the following authentication options can Tailspin Toys use as a second type of authentication for MFA?