Turning on multi-factor authentication in Microsoft 365
How to turn on multi-factor authentication (MFA) in Microsoft 365 — the single most effective step to protect your business email and files from hackers.
Multi-factor authentication — also called MFA or two-factor authentication — adds a second check when someone signs in. Even if a hacker gets hold of a password, they can't get in without also having your phone.
Quick summary
MFA requires a second step after entering your password — usually approving a notification on your phone or entering a code from an app. It dramatically reduces the risk of your accounts being hacked. Admins can turn it on for everyone in the Microsoft 365 admin center. This is the most important security step you can take.
Why this matters
Password breaches are extremely common. A weak or reused password is all a hacker needs to access your email, files, and business data. MFA means that even if a password is stolen, the attacker still can't sign in without a second factor — your phone.
Microsoft reports that MFA blocks more than 99% of automated account attacks.
Setting up MFA as an admin
Admin access required 10–15 minutesThere are two main ways to turn on MFA for your organization in Microsoft 365:
Option 1: Security defaults (simplest — recommended for most businesses)
Security defaults is Microsoft's pre-configured set of security policies designed for small businesses. Enabling security defaults automatically requires MFA for all users and admins.
Sign in to the Azure portal at portal.azure.com (you use your Microsoft 365 admin credentials).
Search for "Azure Active Directory" (or "Microsoft Entra ID" — same thing, renamed) and click it.
Go to Properties in the left menu.
Click Manage security defaults at the bottom of the page.
Toggle Security defaults to Enabled and click Save.
Tell your team before you turn this on
Once security defaults are enabled, every user will be prompted to set up MFA on their next sign-in. They have 14 days to complete this. Warn your team in advance so they're not confused when the prompt appears.
Option 2: Conditional access policies (for more control)
If you need more control — for example, requiring MFA only for admin accounts, or only when signing in from outside the office — you can use Conditional Access policies. This requires a Microsoft 365 Business Premium or an Azure AD Premium license.
For most small businesses, security defaults (Option 1) is the right starting point.
Setting up MFA as a user
When you're first prompted to set up MFA after sign-in, here's what to expect:
Sign in as normal with your email and password.
A prompt appears saying "More information required." Click Next.
Download the Microsoft Authenticator app on your phone — it's available from the App Store or Google Play. Then click Next.
Open the Authenticator app on your phone and add a work account. Scan the QR code shown on your screen.
Approve the test notification. Microsoft will send a test push notification to your phone. Tap Approve in the app.
You're set up. From now on, when you sign in, you'll get a push notification to approve on your phone.
What happens at sign-in with MFA turned on
Enter your email address on the Microsoft sign-in page.
Enter your password and click Sign in.
A notification appears on your phone. Open the Microsoft Authenticator app and tap Approve (or enter a code if you're using the code method).
You're in. The whole process takes about 10 seconds once you're used to it.
Common questions
Related guides
- Security defaults & key settings
- The Microsoft 365 admin center, explained
- Signing in to Microsoft 365
- Turning on 2-step verification in Google Workspace
- Two-factor authentication, explained
Need a hand?
Learn more
Storage & quotas in Microsoft 365
How storage works in Microsoft 365 — how much you get, what counts toward your quota, and what to do when you're running low.
Security defaults & key settings in Microsoft 365
The baseline security settings every Microsoft 365 business account should have — including security defaults, admin account protection, and app permissions.