Manage multifactor authentication in Microsoft 365 Lighthouse
Microsoft 365 Lighthouse allows you to manage multifactor authentication (MFA) settings across all tenants. The multifactor authentication page provides detailed information on the status of MFA enablement and the ability to take action on specific users.
For small- and medium-sized business (SMB) customers, Microsoft recommends enabling security defaults at a minimum. For more complex scenarios, you can use Conditional Access to configure specific policies.
Note
This page provides insights around tenants for which data availability is limited.
Before you begin
The customer tenant must be active within Microsoft 365 Lighthouse. To determine if a tenant is active, see Microsoft 365 Lighthouse tenant list overview.
Notify users who aren't registered for MFA
In the left navigation pane in Lighthouse, select Users > multifactor authentication.
Select the tenant that contains the user(s) that you want to notify.
Select Users not registered for MFA tab.
Select the tenant containing the user(s) you want to notify.
Select Create email.
Your default email application creates a sample email addressed to each selected user.
Edit the notification email if needed.
Send the email.
Tip
Select the Admin, Guest, or Members counts to filter the list by type. If any user accounts in the list are emergency access or service accounts for which you don't want to require MFA, select those user accounts and then select Exclude users. The excluded user accounts will no longer appear in the list of users not registered for MFA.
Note
Lighthouse opens your default email client and prepopulates the email message with instructions to register for MFA. All the selected users will be included on the BCC line. If you prefer to individually email users, you can select the email icon next to the username.
If you want to use a different email account, you can export the list of users to a file. You can also download sample email templates you can customize with your company branding.
Exclude users from MFA registration
In the left navigation pane in Lighthouse, select Users > multifactor authentication.
Select the tenant containing the user(s) you want to exclude.
Select Users not registered for MFA tab.
Select the user(s) that you want to exclude.
Select Exclude users.
In the Exclude users pane, select Save changes to save the changes in both Lighthouse and the tenant.
Note
Ensure that the Microsoft 365 Lighthouse - MFA Exclusions security group is excluded from the tenant's Conditional Access policies that require MFA and from the applicable deployment tasks in the tenant's deployment plan in Lighthouse.
Block sign-in for users not registered for MFA
- In the left navigation pane in Lighthouse, select Users > multifactor authentication.
- Select the tenant that contains the user(s) you want to block.
- Select Users not registered for MFA tab.
- Select the user(s) that you want to block.
- Select Block sign-in.
- In the Manage sign-in status pane, select Block users from signing in.
- Select Save.
Note
Ensure If any shared mailbox accounts or inactive user accounts appear in the list of users not registered for MFA, we recommend you block sign-in for those accounts to remove them from the list.
Blocking a user prevents anyone from signing in as this user and is a good idea when you think their password or username may be compromised. Blocking a user immediately stops any new sign-ins for that account. The account will be automatically signed out from all Microsoft services within 60 minutes if the account is signed in. This won't stop the account from receiving mail and doesn't delete any account data.
Remove a user from the Excluded users group
- In the left navigation pane in Lighthouse, select Users > multifactor authentication.
- Select the tenant that contains the user(s) you want to remove.
- Select Exclude users tab.
- Select the user(s) that you want to remove.
- Select Remove.
- In the confirmation message, select Remove.
Note
The excluded users listed in Lighthouse will reflect the current membership Microsoft 365 Lighthouse - MFA exclusions security group but will not confirm that the group has been excluded from the tenant's Conditional Access policies that require MFA or from the applicable deployment tasks in the tenant's deployment plan in Lighthouse.
Next steps
Once MFA is enabled, you can enable Microsoft Entra self-service password reset (SSPR). SSPR allows users to change or reset passwords without administrator or help desk involvement. For more information, see Manage self-service password reset in Microsoft 365 Lighthouse.
Related content
Overview of multifactor authentication in Lighthouse (article)
Plan a Microsoft Entra multifactor authentication deployment (article)
What are security defaults? (article)
What is Conditional Access? (article)
Learn how to convert users from per-user MFA to Conditional Access (article)