skip to Main Content

Configure per-user MFA in Microsoft 365

Security is essential for every organization, so you should configure Multi-Factor Authentication (MFA) for every user in the Microsoft 365 tenant. Not only that but there are also other MFA options you need to enable to improve MFA security. In this article, you will learn how to configure per-user MFA in Microsoft 365.

Per-user MFA vs. Azure AD MFA

Per-user MFA and Azure AD MFA are excellent for securing the user’s login. It’s recommended to configure Azure AD Multi-Factor Authentication instead of per-user MFA (this article).

Note: Only configure one of the below MFA methods, and don’t configure both simultaneously. Doing this will give the users sign-in issues.

Per-user MFA

With per-user MFA, you don’t have a lot of options to configure, and you can only enforce, enable, and disable MFA for the users. The good thing is that it’s free.

Azure AD MFA

It requires you to have Azure AD Premium plan 1 or 2. With Azure AD MFA, you will create a Conditional Access policy and have many options to configure MFA for the users, which is excellent. Also, Microsoft adds more and more features to these CA policies.

Move from per-user MFA to Azure AD MFA

Suppose you already have configured per-user MFA and have an Azure Premium plan 1 or 2 but have not yet moved to Azure AD MFA. See the article Move from per-user MFA to Conditional Access MFA.

Configure Microsoft 365 per-user MFA

To configure per-user MFA in Microsoft 365, follow these steps:

Step 1. Sign in to Microsoft 365 admin center.

Step 2. Navigate to Users > Active users > Multi-factor authentication.

Configure per-user MFA in Microsoft 365 admin center

Step 3. Click on service settings at the top.

Configure per-user MFA in Microsoft 365 service settings

Step 4. Go to the section verification options and select the methods you want to make available to the users.

Configure per-user MFA in Microsoft 365 verification options

Step 5. Click on users at the top. Select the checkbox to select all the users on the page and click Enable.

Note: Suppose you have more than one page and must go through all the pages. It’s faster to Enable MFA Office 365 with PowerShell.

Important: Keep MFA for service accounts disabled or add the IPs to the MFA service settings page to skip multi-factor authentication.

Configure per-user MFA in Microsoft 365 enable

Step 6. Click on enable multi-factor auth.

Configure per-user MFA in Microsoft 365 enable multi-factor auth

Step 7. Click close.

Updates succesful

Step 8. Select the checkbox to select all the users on the page and click Enforce.

Configure per-user MFA in Microsoft 365 enforce

Step 9. Click on enforce multi-factor auth.

Configure per-user MFA in Microsoft 365 enforce multi-factor auth

Step 10. Click close.

Updates succesful

Step 11. Multi-factor authentication status shows Enforced for all users.

Configure per-user MFA in Microsoft 365 Enforced status

That’s it! You did successfully configure per-user MFA in Microsoft 365 and made the organization safer by adding an additional layer of security. This prevents breaches that result from brute force attacks and compromised credentials.

From now on, the users need to configure MFA when they sign in. If they already did that, they will get a prompt to fill in the MFA request.

Export Microsoft 365 per-user MFA status

An excellent way to check if the users configured per-user MFA is to use the script shown in the article Export Office 365 users MFA status with PowerShell.

Improve MFA security

If you have chosen per-user MFA or Azure AD MFA, it’s essential to go through the below articles and enable these three features for the Microsoft Authenticator app to improve MFA security:

  1. Enable Azure MFA number matching
  2. Enable Azure MFA application name
  3. Enable Azure MFA geographic location

Conclusion

You learned how to configure per-user MFA in Microsoft 365. . It’s important to enforce per-user MFA for the users. If you want to avoid paying extra for Azure AD Premium plan 1 or 2 and configure Azure AD MFA, choose the free option per-user MFA. You can always move from per-user MFA to Azure AD MFA.

Did you enjoy this article? You may also like Disable MFA Office 365 with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *