Mandatory MFA for Volume Licensing Central – Partner Guidance

Better security, and ongoing security and privacy safeguards are among our top priorities, and we continue to help partners protect their customers and tenants.

To help partners protect their businesses and customers from identity theft and unauthorized access, we activated enhanced security safeguards for partner tenants by mandating and verifying MFA on VL Central (Volume Licensing Central). Mandating MFA strengthens the protection of partner access to customer resources and reduces the risk of credential compromise.

All users logging into Volume Licensing Central are required to onboard to MFA before January 5, 2026, to ensure uninterrupted access.

This guidance outlines the steps partners need to take to comply with the mandatory MFA requirement for Volume Licensing Central.

Steps for Partners to Comply

To comply with mandatory MFA for Volume Licensing Central, partners should take the following steps:

Step 1: Identify the Appropriate Admin (Point Of Contact)

Determine who in your organization will implement the MFA changes. This is typically your Microsoft Entra Global Administrator or an equivalent admin role with permission to manage security settings. The Global Administrator (also known as 'Company Administrator') role has full access to Entra ID, including the ability to set Conditional Access policies and enable MFA.

How to Contact Your Tenant’s Global Administrator

Via Microsoft Entra portal

  1. Go to https://entra.microsoft.com

  2. Navigate to Entra ID > Roles and administrators

    Roles and administrators

  3. Search Global Administrator

    Global Administrator

  4. You see a list of users assigned to that role in your tenant.

    Global Administrator Users

If you don’t have access to the Entra portal:

  • Reach out to your IT department, security operations team, or internal helpdesk

Ensuring the right Point of Contact (POC) is involved (with appropriate admin rights) is crucial, because only those with high-level admin roles can enforce tenant-wide MFA requirements.

Step 2: Enforce MFA for Volume Licensing Central Access (Tenant-Wide)

Goal: Require MFA for all users (internal and guests) when accessing the Volume Licensing Central application. We recommend using a Conditional Access policy in Microsoft Entra ID for this. If Conditional Access isn’t available to your tenant, alternate methods are noted below.

  1. Sign in to Microsoft Entra Admin Centre https://entra.microsoft.com/ as a Global Admin (or Conditional Access Admin).

  2. Browse to Entra ID > Conditional Access > Overview, select + Create new policy.

    Conditional Access

  3. Enter a name for the policy, such as "MFA for Volume Licensing Central".

  4. Under Assignments, select the current value under Users

    Conditional Access New

  5. Under Include, choose All Users. This ensures the policy covers all internal users and any B2B guest users who access your Volume Licensing resources.

    Conditional Access - Select Users

  6. Under Assignments, select the current value under Target Resources, and then under Select what this policy applies to, verify that Resources (Formerly cloud apps) is selected.

  7. Under Include, choose Select Apps.

  8. Under Include, choose Select resources. Then click None Under Select option.

    Conditional Access - Select resources

  9. In the new window (Select Resources), Choose Microsoft Admin Portals. Then click the Select button.

    Please note that if we choose Microsoft Admin Portals, Multi-Factor Authentication (MFA) will be enabled for all associated admin portals, including the Microsoft 365 Admin Center, Exchange Admin Center, Azure Portal, Microsoft Entra Admin Center, and others

    Conditional Access - Select Application

  10. You can generally leave Conditions at defaults (all locations, all device states). Unless you have a specific need (e.g. exclude trusted IPs or compliant devices), no extra conditions are required for this policy.

  11. Under Access controls > Grant, choose Require multi-factor authentication. This is the control that forces an MFA challenge. Ensure no conflicting controls (like 'Block access') are selected.

  12. Enable the policy: On to enforce MFA. To apply the Conditional Access policy, select Create.

    Enable Conditional Access Policy

    Once active, this Conditional Access policy will prompt any user for MFA when they sign into Volume Licensing Central. If they’ve already satisfied MFA recently (and you allow session persistence), they might not be prompted on every single login, but by default it will challenge each fresh sign-in.

    Refer Link: Enable Microsoft Entra multifactor authentication - Microsoft Entra ID | Microsoft Learn

Alternative Methods (if Conditional Access is not available):

  • Security Defaults: If your tenant is small or doesn’t have premium Entra ID features, you might have Security Defaults enabled. Security Defaults automatically require all users to register for MFA and perform MFA in certain scenarios. Enabling Security Defaults (in Entra ID > Overview > Properties > Manage Security Defaults) is an easy catch-all solution but note it applies to all sign-ins on all apps, not just Volume Licensing Central. If that’s acceptable or already in place, you may not need a separate policy.

    Refer Link: Configure Security Defaults for Microsoft Entra ID - Microsoft Entra | Microsoft Learn

  • Per-User MFA (Legacy): As a fallback, you can enable MFA on a per-user basis. This is done in the Entra admin center under Users > Multi-Factor Authentication (or Microsoft 365 admin center under Active Users > MFA). You manually select each user and turn on MFA enforcement for their account. This is less scalable and less flexible – Microsoft generally recommends Conditional Access over per-user MFA. However, if you can’t use CA and Security Defaults doesn’t fit (or is turned off due to custom policies), per-user MFA will still achieve the goal for Volume Licensing Central users. Ensure all accounts that use Volume Licensing Central (including guests in your directory) are set to Enforced or Enabled for MFA.

    Refer Link: Enable per-user multifactor authentication - Microsoft Entra ID | Microsoft Learn

Regardless of method, the outcome should be every user must perform MFA to access Volume Licensing Central. The Conditional Access approach is preferred because it’s precise (targeting the Volume Licensing Central specifically) and easier to manage long-term.

Step 3: Ensure Individual Users are MFA-Ready

Most users will automatically be covered by the tenant-wide enforcement above. However, you may want to communicate and assist users in advance:

  • Encourage early MFA registration: Ask your users (internal and external) to go to the Microsoft MFA setup page (usually https://aka.ms/mfasetup) and add at least one verification method enabled for the tenant. This ensures they won’t be caught off-guard. It’s often easiest for users to set up the Microsoft Authenticator app on their phone. You can set the Authentication methods applicable to your tenant under Home > Authentication methods > Policies in the Entra portal.

    MFA registration

  • Set up multiple methods: Recommend users configure a backup MFA method (e.g. secondary phone or a hardware token if they have one). This helps if they lose access to their primary method.

  • Guest users from partner organizations: Coordinate with your partners to ensure their users know about the upcoming requirement. They might need to enable MFA in their home tenant. (When they sign in to Volume Licensing Central as guests, our policy will prompt them – the MFA prompt will be serviced by their home Azure AD in most cases.)

If you used per-user MFA in Step 2, then this step is essentially required – users won’t be able to log in without you enabling them and them completing registration. If you used Conditional Access or Security Defaults, users can actually be prompted at the next login (MFA Registration experience - see the next section), but it’s smoother if they set up beforehand.

External identity provider

Third-party MFA can be integrated directly with Microsoft Entra ID. For more information, see Microsoft Entra multifactor authentication external method provider reference. Microsoft Entra ID can be optionally configured with a federated identity provider. If so, the identity provider solution needs to be configured properly to send the multipleauthn claim to Microsoft Entra ID. For more information, see Satisfy Microsoft Entra ID multifactor authentication (MFA) controls with MFA claims from a federated IdP.

Post Mandating MFA

If a user has not yet set up MFA by 5th January 2026 and tries to sign in to Volume Licensing Central, they will not be outright blocked. Instead, they are automatically prompted to register for MFA as part of the sign-in process.

MFA registration experience

  • During MFA verification, if the partner account hasn't registered for MFA before, Microsoft Entra ID prompts the user to complete MFA registration first. Review more info about the Microsoft Authenticator method:

    MFA registration experience

  • After the user selects Next, they're asked to choose from a list of verification methods.

  • After successful registration, the user must complete MFA verification using their chosen verification method.

No Access without MFA: If a user refuses the registration process, they effectively can't proceed to Volume Licensing Central. The prompt appears each time until they complete it. Users can't bypass or 'skip' it – MFA setup is mandatory.

If you're facing any issues in enabling MFA for your organization, please reach out to MFAVLCsupport@microsoft.com for assistance.

  • Last updated on