How to enforce multi-factor authentication on Microsoft 365 (Office 365) using per-user (legacy) MFA

What is per-user MFA?

Per-user (or legacy) MFA, as the name suggests, is no longer Microsoft's preferred option for using MFA in Microsoft 365. It allows you to enable MFA per-user and to create exceptions where necessary but is only configurable via a separate legacy web panel or PowerShell. Users are prompted for MFA on every login, regardless of what they're accessing.

If you have Azure AD Premium P1 licenses, there is no reason to use Legacy MFA - you should be using Conditional Access as it provides all the same features and flexibility but with far better support.

Otherwise, if you really can't get everyone using MFA such that you can't use Security Defaults, you can use this approach to selectively enable MFA, such as on high privilege accounts - this is much better than not using MFA at all if Security Defaults doesn't work for you.

However, at best this should be an interim solution until you are able to transition to Security Defaults or Conditional Access - all accounts without MFA represent a potential security risk as they are available with a single factor of authentication.

If you choose this option, we will guide you through how to prepare the necessary parts of your environment, encourage users to enrol for MFA, and periodically set enrolled users to an "Enforced" state, causing them to then require MFA on future logins. This will allow you to roll out MFA usage without disruption.

For more information on these terms and this approach in general, read the Microsoft documentation.

Before you start

Get business buy-in

Big changes that people notice tend to benefit from an executive sponsor to lend weight behind the change - you'll know better than us whether that makes sense for your organisation. You can read for some pointers.

Prepare your support team

When adopting MFA, some users may struggle with the process of enrolling for MFA, or need help if they lose their MFA token or device after setup. Users will have a much better experience of MFA, and work disruption kept to a minimum, if the IT support team (or person as the case may be) is prepared to support both enrolment and recovery, and can get them back on their feet quickly.

To make sure everything goes smoothly when something goes wrong, we recommend you make sure anyone responding to support requests tests or practices these processes using a test account.

Let's get started!

Configuring your environment

Before using Legacy MFA, you'll need to do the following:

Enforcing MFA

As you are using legacy, per-user MFA, you could configure users who have already registered for MFA as "Enforced" so they will be required to use MFA for future logins. Use the Push platform to quickly get a view of users that have registered for MFA.

Alternatively, if you want to force registration for users, you could set them to "Enabled", which forces them to register, but will not disrupt their existing workflow. Once registered, users will automatically transition over to "Enforced".

Follow the steps in this guide to learn more and configure your desired approach.