Understand which MFA solutions are available for Microsoft 365 and which is the right choice for your tenant.
Microsoft often has lots of flexibility but it can be hard or time-consuming to figure out all the options and make an informed decision. This post summarises your options for using MFA in Microsoft 365, helps you quickly eliminate some, and gives you the information you need to consider what’s left.
At a high level, you’ve got three choices:
Legacy MFA (also referred to as “per-user MFA”)
Some quick decisions
Do you have Azure AD Premium licenses?
If everyone has Azure AD Premium P1 or higher licenses, you should use Conditional Access. Conditional Access allows you to deploy MFA with full flexibility, from simply mandating it in all situations, to convenience features like exceptions for things like certain IP ranges, apps, or break-glass accounts. A simple setup doesn’t take long but if you’re really looking for quick and easy, you can still use Security Defaults.
Can you deploy to everyone?
If you don’t have Azure AD Premium P1 licenses, but you are comfortable deploying MFA to everyone, you should use Security Defaults. Security Defaults is intended to be the easy-to-deploy MFA option, available to all, regardless of license. Configuration is simply an on/off switch and some very sensible and useful defaults are configured for you but they can’t be changed and no one can be excluded.
If you’ve answered no to both questions, your only remaining option is to use Legacy MFA. As the name suggests, this is not an option Microsoft is endorsing or actively developing - their tools and new features are focused purely on Conditional Access or Security Defaults. However, if neither are an option for you, you should at least ensure MFA is configured on your sensitive accounts, like administrators, and per-user MFA can be used to achieve that, regardless of license.
Can I do this if I'm using on-premise AD?
These options will turn on MFA for users that exist in Azure AD, for logins to Azure AD. If you have on-premise AD and you want to start using Azure AD, you need to first look at something like Azure AD Connect to sync your users and start your journey in “hybrid” AD.
One last thing…
Regardless of which option you choose, you need to look into disabling “Legacy authentication”. Unrelated to “Legacy MFA”, legacy authentication is just the original way apps authenticated to Azure AD. However, it doesn’t support MFA so leaving it on makes turning on MFA a bit redundant since there will still be a single-factor route into your tenant.
Now that you know which options are available to you let’s explore them in some more detail taking a look at the key features and things you need to think about.
Requires no license - available to all.
Once enabled, all users will have to register within 14 days of their next login.
Users must register using an “Authenticator” app (learn more about MFA methods here)
Once registered, users will be prompted for MFA “as necessary” (i.e. not every time).
Admins will be prompted every time.
Legacy authentication is turned off
Can you enable it for all accounts? Remember, Security Defaults is applied to all accounts that use Azure AD.
Do all users have access to a mobile device? Users will be required to register for the authenticator MFA method, which requires a mobile device.
Read more here: What is Security Defaults?
Requires Azure AD Premium P1 licenses
Allows you to create a set of conditions under which users should be allowed access. For example, you can control which users a policy applies to, which apps they are trying to access, how often they should be prompted, where they are logging in from, and which type of device they are permitted to use.
Policies can be put into audit mode first to allow you to ensure they won’t be disruptive.
Legacy authentication should be disabled, but you must do this yourself.
Does everyone have the requisite license?
What should your policies look like? Microsoft has a sensible set of base policies; implementing the first four policies listed would replicate Security Defaults.
Read more here: What is Conditional Access?
Requires no license - available to all.
You can configure MFA enforcement per user, and you can specify which methods can be used.
Users are prompted for MFA on every login.
Management tooling is well...legacy. Only available via a legacy portal that is quite clunky. You can still configure via PowerShell though.
Not recommended by Microsoft or being actively developed.
Read more here: How to enable per-user MFA