We use Office 365, and Exchange Online Protection (EOP) is our email hygiene solution. If…
Configure per-user MFA in Microsoft 365
Security is essential for every organization, so you should configure Multi-Factor Authentication (MFA) for every user in the Microsoft 365 tenant. Not only that but there are also other MFA options you need to enable to improve MFA security. In this article, you will learn how to configure per-user MFA in Microsoft 365.
Table of contents
Per-user MFA vs. Azure AD MFA
Per-user MFA and Azure AD MFA are excellent for securing the user’s login. It’s recommended to configure Azure AD Multi-Factor Authentication instead of per-user MFA (this article).
Note: Only configure one of the below MFA methods, and don’t configure both simultaneously. Doing this will give the users sign-in issues.
Per-user MFA
With per-user MFA, you don’t have a lot of options to configure, and you can only enforce, enable, and disable MFA for the users. The good thing is that it’s free.
Azure AD MFA
It requires you to have Azure AD Premium plan 1 or 2. With Azure AD MFA, you will create a Conditional Access policy and have many options to configure MFA for the users, which is excellent. Also, Microsoft adds more and more features to these CA policies.
Move from per-user MFA to Azure AD MFA
Suppose you already have configured per-user MFA and have an Azure Premium plan 1 or 2 but have not yet moved to Azure AD MFA. See the article Move from per-user MFA to Conditional Access MFA.
Configure Microsoft 365 per-user MFA
To configure per-user MFA in Microsoft 365, follow these steps:
Step 1. Sign in to Microsoft 365 admin center.
Step 2. Navigate to Users > Active users > Multi-factor authentication.
Step 3. Click on service settings at the top.
Step 4. Go to the section verification options and select the methods you want to make available to the users.
Step 5. Click on users at the top. Select the checkbox to select all the users on the page and click Enable.
Note: Suppose you have more than one page and must go through all the pages. It’s faster to Enable MFA Office 365 with PowerShell.
Important: Keep MFA for service accounts disabled or add the IPs to the MFA service settings page to skip multi-factor authentication.
Step 6. Click on enable multi-factor auth.
Step 7. Click close.
Step 8. Select the checkbox to select all the users on the page and click Enforce.
Step 9. Click on enforce multi-factor auth.
Step 10. Click close.
Step 11. Multi-factor authentication status shows Enforced for all users.
That’s it! You did successfully configure per-user MFA in Microsoft 365 and made the organization safer by adding an additional layer of security. This prevents breaches that result from brute force attacks and compromised credentials.
From now on, the users need to configure MFA when they sign in. If they already did that, they will get a prompt to fill in the MFA request.
Export Microsoft 365 per-user MFA status
An excellent way to check if the users configured per-user MFA is to use the script shown in the article Export Office 365 users MFA status with PowerShell.
Improve MFA security
If you have chosen per-user MFA or Azure AD MFA, it’s essential to go through the below articles and enable these three features for the Microsoft Authenticator app to improve MFA security:
- Enable Azure MFA number matching
- Enable Azure MFA application name
- Enable Azure MFA geographic location
Conclusion
You learned how to configure per-user MFA in Microsoft 365. It’s important to enforce per-user MFA for the users. If you want to avoid paying extra for Azure AD Premium plan 1 or 2 and configure Azure AD MFA, choose the free option per-user MFA. You can always move from per-user MFA to Azure AD MFA.
Did you enjoy this article? You may also like Disable MFA Office 365 with PowerShell. Don’t forget to follow us and share this article.
What Others Are Reading
Great Tutorial!
What about MFA for webmail on On-premise environment?
Thanks!