3 ways to implement Multi-Factor Authentication (MFA) protection controls for Microsoft 365

In this blog I’ll go through the 3 different methods of implementing Multi-Factor Authentication (MFA) protection for sign-ins to your Microsoft 365 tenant. I’ll summarise how those methods differ and which you should consider implementing. Lastly, I’ll demonstrate how to generate a report to show which of your accounts have registered for MFA and how to check which methods they’re using.  

How to enable MFA controls

Security defaults

Per-User MFA 

Conditional Access 

Which Type To Use? 

Checking Your Configuration – download your free PowerShell script

Author: Ben Owens, Technical Architect at Cloud Business

Ben Owens, Technical Architect at Cloud Business

An experienced Technical Architect, Ben supports customers with Professional Services. He takes a truly consultative approach by encouraging open and creative conversations about technology during the discovery phase, helping businesses to uncover the best solutions for their users.

Ben’s specialisms include Microsoft 365, Exchange, Identity and Modern Desktop with Microsoft Endpoint Manager.


How to enable Multi-Factor Authentication (MFA) controls

To enable MFA controls in, you essentially have three options: 

  • Security Defaults 
  • Per User MFA 
  • Conditional Access 
Multi-factor authentication protection options

The focus of this blog is around the method of providing MFA protection using Azure AD and not via federated identity via ADFS or 3rd parties.

Security defaults  

This is a global setting. It’s fundamentally an on/off switch for providing MFA protection for all accounts on your tenant. It provides MFA protection across the board to all your accounts and with no exceptions.  

In practice, when signing into a new account, the user would have 14 days from initial sign-in to set up an MFA method. The user could choose to skip that if they wish, but after 14 days they would be forced to set up their MFA method. Subsequent logins would then be subject to an MFA claim to access the tenant.  

Security defaults were introduced in October 2019. This was primarily aimed at providing a baseline protection for all newly provisioned M365 tenants. Prior to this, tenants were created without any MFA protection by default. 

Key points about security defaults

  • It’s free with no additional subscription required for MFA protection 
  • It’s enabled by default on newly provisioned tenants  
  • There are no exceptions in MFA protection – this is important to note if you require an account login which cannot complete an MFA prompt
  • You cannot use SMS as a verification method, although this is generally discouraged now 
  • Users are required to register for and to use the Microsoft Authenticator app 

Per-user Multi-Factor Authentication (MFA)

As its name suggests, it’s enabled on a per account basis. In comparison to security defaults, this does give you the flexibility to make exceptions to accounts. However, its benefit is also its Achilles’ heel. You must proactively enable per-user MFA on an account, either via script or via the admin console. If you don’t enable per-user MFA on that account, it won’t have MFA protection. 

Key points about per-user Multi-Factor Authentication (MFA) defaults 

  • It’s free with no additional subscription required for MFA protection 
  • You control which accounts have MFA protection 
  • There are no exceptions in MFA protection – this is important to note if you require an account login which cannot complete an MFA prompt 

Conditional Access 

By using conditional access to implement MFA protection you have far greater flexibility in the scenarios where MFA is required. For example, you could require MFA for all users, but make exclusions for accounts connecting from a particular location. 

By using conditional access policies, you can also go much further than ruleset around MFA control. For example, conditional access policies can be used to require that only organisational devices or users connecting from trusted external IP address can access certain M365 resources. The level of access can also be controlled to those resources, so restricting the ability to download attachments from M365. 

Unlike security defaults and per-user MFA, conditional access requires an Azure AD premium P1 licence. This comes bundled in with Microsoft 365 E3 plans and above (a plan we typically see in use). It also comes bundled with Microsoft 365 business premium plans too. 

Key points about per-user Multi-Factor Authentication (MFA) defaults

  • It requires an Azure AD Premium P1 or above licence for each user logging into the service 
  • It can provide MFA for all accounts by default and allow exceptions in specific conditions 
  • It provides greater flexibility in your conditions required 
  • It can provide much more than just controls around MFA verification 

How are they invoked and what should you use?

You would only use 1 of these 3 methods of providing MFA protection. The way they’re implemented is basically in order of three, so be aware if you’ve enabled more than 1 way to provide MFA protection. 

Multi-factor authentication protection options security defaults, per-user MFA, Conditional Access

The method which takes precedence, if enabled, is security defaults. This is a broad brush on/off setting; so, if you have that enabled, then per-user MFA or a conditional access policy will not function as expected for a user’s login.  

If you want to use per-user MFA, you will need to switch off security defaults. You will then be using MFA on a per account basis.  

If you want to use conditional access for providing MFA protection, then the users scoped to your conditional access policies shouldn’t be enabled with per -user MFA. Although possible, I wouldn’t recommend using a mixture of per-user MFA protection for some accounts and conditional access MFA protection for others. This can be confusing for troubleshooting and will likely results in security gaps. 

Which Type To Use? 

For a new tenant, you would initially use security defaults. It’s turned on by default and you would use that protection at the start before deciding. 

If you tenant will have a relatively small amount of users, and you didn’t have a license plan which included Azure AD Premium P1 or above, then security defaults is probably a good place to go.  

If you want to get more flexibility, or if you want to have exceptions, then per user MFA is a better fit. But obvious negative is that you need to make sure that users are enabled for MFA as soon as you provision them.  

If you have you users licensed for Azure AD premium P1, then looking to adopt conditional access policies would make sense. This way you can have a policy that affects all users by default requires no manual tasks. Users would be enabled by MFA by default, but also gives you the flexibility of having exceptions for those as well. So hopefully that gives you an overview of those three options in a different video will go through how you enable those in the talent, how you kind of switch those on and off, and it basic example for setting up some conditional access kind of baselines are kind of common policies from there. 

Checking Your Configuration

You can use the following PowerShell script below to determine which of your users have registered for MFA and if so, whether they’re using Per-User MFA. You can download it from – https://github.com/Cloud-Business/MFATypeReport/blob/main/MFATypeReport.ps1

The script requires that you connect to your tenant using the Microsoft Online Module. If you don’t have this, see the following link: https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide#step-1-install-the-required-software-1

Once you have connected to your tenant using the MSOL module, run the script. This will provide an output CSV file like the below: 

Multi-factor authentication MFA Protection report summary

Summary 

The above provides direction of how to review and plan the correct MFA protection method for you. 

If you’re looking for assistance in these areas, please get in contact and we’ll be happy to help.

Cloud Business logo white
Microsoft Gold Partner Logo - Cloud Business

Cloud Business Limited
8 North Street
Guildford
GU1 4AF

2021 © Cloud Business Limited
Registered Company in England and Wales 06798438