Hello, Microsoft 365 We have previously covered the importance and functionality of Defender: Secure Score.
This time, we will focus on enabling MFA with Conditional Access to increase your Secure Score and keep users safe.
Impact of MFA on Secure Score
With MFA enabled, you may see a significant increase in your Microsoft 365 Secure Score. This reflects the effectiveness of MFA in protecting accounts from unauthorized access. MFA acts as a layer of defense, particularly against phishing and other identity theft methods.
What is MFA Multi Factor Authentication?
MFA (Multi-Factor Authentication) is a security system that includes additional security methods such as an additional code received from an application on mobile phones or a fingerprint scan when users log in.
Using password-only authentication for users is considered insecure. If your environment has a weak password policy or if users’ passwords have been exposed elsewhere on the internet, this can compromise the security of accounts. Using a second method of authentication in addition to a password can greatly increase the security of your users and your organization.
Azure AD MFA works with the following authentication methods:
- Parola
- Phone or hardware key
- Fingerprint or face scan
Azure AD MFA also makes one-step self-service password reset more secure when users enroll themselves for Azure AD Multi-Factor Authentication.
Azure AD MFA Features and License Requirements
Microsoft 365 and Azure AD users and administrators can use MFA at no additional cost.
Azure AD MFA can be used or licensed differently depending on your organization's needs.
If you are a user | Capabilities and use cases |
---|---|
Microsoft 365 Business Premium and EMS or Microsoft 365 E3 and E5 | EMS E3, Microsoft 365 E3, and Microsoft 365 Business Premium include Azure AD Premium P1. EMS E5 or Microsoft 365 E5 includes Azure AD Premium P2. You can use the same conditional access features outlined in the following sections to provide multi-factor authentication to users. |
Azure AD Premium P1 | Azure AD conditional access You can require multi-factor authentication from users during specific scenarios or events to suit your business needs. |
Azure AD Premium P2 | Provides the strongest security posture and enhanced user experience. Azure AD Premium P1 features adapt to user patterns and minimize multi-factor authentication prompts. risk-based conditional access adds. |
All Microsoft 365 plans | Azure AD Multi-Factor Authentication, security defaults It can be enabled for all users using . Azure AD Multi-Factor Authentication is managed through the Microsoft 365 portal. For an enhanced user experience, upgrade to Azure AD Premium P1 or P2 and use conditional access. For more information, see: Secure your Microsoft 365 resources with multi-factor authentication. |
Office 365 free Azure AD is free | Security to require multi-factor authentication from users when required defaults You can use it, but you don't have granular control over active users or scenarios, but it does provide an additional security step. Even if security defaults are not used to enable multi-factor authentication for everyone, Azure AD Global Administrator Users assigned to the role can be configured to use multi-factor authentication. This feature of the Free tier ensures that critical administrator accounts are protected by multi-factor authentication. |
Traits | Azure AD Free -Security defaults (enabled for all users) | Azure AD Free – Global admins only | Office 365 | Azure AD Premium P1 | Azure AD Premium P2 |
---|---|---|---|---|---|
Protecting Azure AD tenant administrator accounts with MFA | ● | ● (Only Azure AD Global Admin accounts) | ● | ● | ● |
Mobile application as a second factor | ● | ● | ● | ● | ● |
Phone call as the second factor | ● | ● | ● | ● | |
SMS as a second factor | ● | ● | ● | ● | |
Administrator control over verification methods | ● | ● | ● | ● | |
Scam alert | ● | ● | |||
MFA Reports | ● | ● | |||
Special greetings for phone calls | ● | ● | |||
Custom caller ID for phone calls | ● | ● | |||
Trusted IPs | ● | ● | |||
Remember MFA for trusted devices | ● | ● | ● | ● | |
MFA for on-premise applications | ● | ● | |||
Conditional access | ● | ● | |||
Risk-based conditional access | ● | ||||
Identity Protection (Risky logins, risky users) | ● | ||||
Access to Comments | ● | ||||
Authorization Management | ● | ||||
Privileged Identity Management (PIM), just-in-time access | ● |
How to Enable MFA Using Azure AD Conditional Access
Located in Azure AD Conditional access, Provides flexibility to secure M365 applications according to different conditions and offers the ability to enable MFA with conditional access.
Sample Application: MFA can be enforced when logging in from unmanaged devices or untrusted IP addresses.
Minimum Azure AD1 license is required for Conditional Access.
- Login to Azure Portal: https://portal.azure.com the address Azure Log in to your account and Azure Active Directorygo to
- Access Security Settings: In the left menu Security Click the tab and Conditional access enter in the field.

- Creating a New Policy:
- new politicsClick to start creating the policy.

- Name Enter a name for your policy in the tab.

- User or Group Assignment:
- Users or workload identities In the , assign a custom security group or user.
- Users and Groups Mark the group you will assign with the option. All Users You can assign this policy to all users with the option.

- Application Selection:
- Cloud apps or actions option, select which apps it will apply to. For example, require the MFA group you specify to use MFA when signing in to all apps.

- Determination of Conditions:
- Conditions section to customize your location or platform. All locations and device types can be selected, or specific locations can be excluded to require MFA.

- MFA Requirement:
- Grant from tab Require Multifactor Authentication tick the option.

- Policy Activation:
- Enable Policy option On change to and Create button to create and activate your policy. Members of the MFA group will be required to use MFA when LOGIN from all devices and locations.

I have shared the steps on how to enable MFA using Azure AD Conditional Access. I hope you find this information useful as you strengthen your security strategies. See you again with new topics in our next article!