How to enforce multi-factor authentication on Microsoft 365 (Office 365) using Security Defaults

What is Security Defaults?

Security Defaults enables MFA for everyone. It's simple, quick and available to everyone, regardless of license. However, it's inflexible, with no configuration options, and must be applied to all accounts.

Once enabled, Security Default makes following changes in your tenant:

  • All users must register for MFA within 2 weeks from their next interactive login - no users can be exempt from requiring MFA.

  • Only authenticator-style apps are permitted as MFA methods - this is a secure method and one we would recommend anyway.

  • Admins will always be prompted for MFA on login.

  • Users will be prompted for MFA "when necessary" (this is not strictly defined by Microsoft but includes when users show up on a new device or app, and for critical roles and tasks).

  • Access to Azure portal, Azure CLI or Azure PowerShell by anyone will always require MFA.

  • Legacy authentication is disabled because it doesn't support MFA.

    Security Defaults is all or nothing - there are no choices or configuration options. That said, it offers sensible options that suit most small teams.

Before you start

Get business buy-in

Big changes that people notice tend to benefit from an executive sponsor to lend weight behind the change - you'll know better than us whether that makes sense for your organisation. You can read for some pointers.

Prepare your support team

When adopting MFA, some users may struggle with the process of enrolling for MFA, or need help if they lose their MFA token or device after setup. Users will have a much better experience of MFA, and work disruption kept to a minimum, if the IT support team (or person as the case may be) is prepared to support both enrolment and recovery, and can get them back on their feet quickly.

To make sure everything goes smoothly when something goes wrong, we recommend you make sure anyone responding to support requests tests or practices these processes using a test account.

Is this the right approach?

To decide if Security Defaults is right for you, you should consider four things:

If you choose this option, we will guide you through preparing the necessary parts of your environment before turning it on.

Once you're ready, you've got two choices:

  1. Turn it on immediately: give your users 14 days to register and just get it done.

  2. Encourage adoption first: for minimal disruption, you can use the Push platform to monitor and encourage user registration before turning it on when you know most users are already registered.

Let's get started!

Configuring your environment

Security Defaults is designed to be simple so all you need to do beforehand is make sure you aren't using legacy authentication:

Stop using legacy authentication

Before you can block legacy authentication, you must make sure no one in your organisation is using it. For example, does anyone use Office 2010 or 2013 still? Office 2010 doesn't support modern authentication and Office 2013 doesn't use it by default. Blocking legacy authentication without first modernising any legitimate use will likely break things in your team.

Depending on the age of the your Azure AD tenant, you might need to also enable modern authentication.

Follow the official Microsoft documentation on blocking legacy authentication that includes steps to find accounts that still use legacy authentication, and instructions to enable modern authentication.

If you are curious about what legacy and modern authentication is and want more background, read this blog post by the Microsoft Identity team.

Enforcing MFA

When you are ready to do so, enabling Security Defaults is quick and simple by following the steps below.

To follow this guide you will need:

  • The correct role: the Security Administrator, Conditional Access Administrator, or Global Administrator roles are needed to perform these steps.

Step 1

Navigate to the Azure Active Directory blade in the Azure Active Directory admin center.

Step 2

From the side menu, select Properties:

M365: Azure AD, Properties

Step 3

At the bottom of the page, select "Manage Security Defaults":


Step 4

A side menu to "Enable Security Defaults" should appear with a single control to enable Security Defaults. Slide it over to Yes.