How to Enable MFA in Microsoft Entra ID (Azure AD)

Multi-Factor Authentication (MFA) is one of the most effective security controls for protecting identities in Microsoft Entra ID (formerly Azure Active Directory). This guide covers three approaches to enabling MFA: Security Defaults for basic protection, per-user MFA for simple configurations, and Conditional Access for enterprise-grade control.

This article is part of our comprehensive guide on Cloud Security Tips for 2026, which covers essential security practices across all major cloud platforms.

Overview

Microsoft Entra ID supports several methods for implementing MFA:

• Security Defaults: Free, basic MFA for all users (recommended for small organizations)
• Per-user MFA: Legacy approach enabling MFA for individual users
• Conditional Access: Policy-based MFA with granular conditions (requires P1/P2 license)

The recommended approach for most organizations is Conditional Access, as it provides the best balance of security and user experience. However, Security Defaults offers excellent protection for organizations without premium licenses.

Prerequisites

Before enabling MFA, ensure you have:

• Microsoft Entra ID access with Global Administrator or Security Administrator role
• Understanding of your license tier (Free, P1, or P2)
• List of break-glass accounts that may need MFA exclusions
• Communication plan for notifying users about MFA requirements
• Azure Portal access at https://portal.azure.com

Method 1: Enable Security Defaults

Security Defaults is the simplest way to enable MFA across your organization. It requires MFA registration for all users and blocks legacy authentication protocols.

Enable Security Defaults via Azure Portal

1. Sign in to the Azure Portal
2. Navigate to Microsoft Entra ID > Properties
3. Scroll down and click Manage security defaults
4. Set Enable security defaults to Yes
5. Click Save

Verify Security Defaults Status via Azure CLI

# Check current security defaults status
az rest --method GET \
  --url 'https://graph.microsoft.com/v1.0/policies/identitySecurityDefaultsEnforcementPolicy'

# Enable security defaults
az rest --method PATCH \
  --url 'https://graph.microsoft.com/v1.0/policies/identitySecurityDefaultsEnforcementPolicy' \
  --body '{"isEnabled": true}'

Security Defaults Behavior

When enabled, Security Defaults:

• Requires all users to register for MFA within 14 days
• Requires MFA for administrators on every sign-in
• Requires MFA for users when accessing sensitive resources
• Blocks legacy authentication (IMAP, POP3, SMTP AUTH)
• Protects privileged actions in Azure Portal

Method 2: Configure Per-User MFA

Per-user MFA allows you to enable MFA for specific users. This is the legacy approach but may be appropriate for simple scenarios.

Enable Per-User MFA via Azure Portal

1. Sign in to the Azure Portal
2. Navigate to Microsoft Entra ID > Users
3. Click Per-user MFA in the top menu
4. Select users to enable MFA for
5. Click Enable in the quick steps panel
6. Confirm the action

User MFA States

Per-user MFA has three states:

Enable MFA via PowerShell

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All"

# Get user authentication methods
$userId = "[email protected]"
Get-MgUserAuthenticationMethod -UserId $userId

# Note: Per-user MFA management requires MSOL module or Azure Portal
# For modern management, use Conditional Access policies instead

Method 3: Conditional Access MFA (Recommended)

Conditional Access provides policy-based MFA with granular control over when MFA is required. This is the recommended approach for organizations with Microsoft Entra ID P1 or P2 licenses.

Create a Conditional Access Policy for MFA

1. Sign in to the Azure Portal
2. Navigate to Microsoft Entra ID > Security > Conditional Access
3. Click + New policy
4. Configure the policy:

Name: Require MFA for all users

Assignments:

• Users: All users (exclude break-glass accounts)
• Cloud apps: All cloud apps
• Conditions: Optionally configure locations, device platforms, or risk levels

Access controls:

• Grant: Select Require multifactor authentication

5. Set Enable policy to On
6. Click Create

Recommended Conditional Access Policies

Create these policies for comprehensive MFA coverage:

Policy 1: Require MFA for administrators

Name: CA001 - Require MFA for admins
Users: Directory roles (all admin roles)
Cloud apps: All cloud apps
Grant: Require MFA

Policy 2: Require MFA from untrusted locations

Name: CA002 - Require MFA outside trusted locations
Users: All users
Cloud apps: All cloud apps
Conditions: Locations - Exclude trusted locations
Grant: Require MFA

Policy 3: Require MFA for risky sign-ins

Name: CA003 - Require MFA for medium/high risk
Users: All users
Cloud apps: All cloud apps
Conditions: Sign-in risk - Medium and High
Grant: Require MFA

Create Conditional Access Policy via Azure CLI

# Create a Conditional Access policy requiring MFA
az rest --method POST \
  --url 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies' \
  --body '{
    "displayName": "Require MFA for all users",
    "state": "enabled",
    "conditions": {
      "users": {
        "includeUsers": ["All"],
        "excludeUsers": ["[email protected]"]
      },
      "applications": {
        "includeApplications": ["All"]
      }
    },
    "grantControls": {
      "operator": "OR",
      "builtInControls": ["mfa"]
    }
  }'

# List all Conditional Access policies
az rest --method GET \
  --url 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies'

Configure MFA Authentication Methods

Control which MFA methods users can register:

1. Navigate to Microsoft Entra ID > Security > Authentication methods
2. Click Policies
3. Configure each method:
   • Microsoft Authenticator: Recommended, enable for all users
   • FIDO2 security keys: Enable for high-security scenarios
   • SMS: Enable as backup, less secure
   • Voice call: Enable as backup

Recommended Authentication Methods Priority

Verify MFA Configuration

After enabling MFA, verify it's working correctly:

Check User Registration Status

# Get MFA registration status via Microsoft Graph
az rest --method GET \
  --url 'https://graph.microsoft.com/v1.0/reports/authenticationMethods/usersRegisteredByMethod'

# Get per-user authentication method registration
az rest --method GET \
  --url 'https://graph.microsoft.com/v1.0/users/{user-id}/authentication/methods'

Review Sign-in Logs

1. Navigate to Microsoft Entra ID > Sign-in logs
2. Filter by Authentication requirement = Multifactor authentication
3. Verify users are completing MFA successfully

Best Practices

1. Start with report-only mode: Test Conditional Access policies in report-only mode before enforcement
2. Create break-glass accounts: Maintain at least two emergency access accounts excluded from MFA
3. Use phishing-resistant methods: Prefer Microsoft Authenticator or FIDO2 over SMS
4. Monitor MFA fatigue: Review sign-in logs for unusual MFA prompt volumes
5. Communicate with users: Provide clear instructions before enforcing MFA
6. Enable combined registration: Allow users to register for MFA and SSPR together

Troubleshooting

Users not prompted for MFA registration:

• Verify Security Defaults or Conditional Access policy is enabled
• Check user is not excluded from policy
• Allow 15 minutes for policy propagation

MFA registration failures:

• Ensure Microsoft Authenticator is installed on mobile device
• Check network connectivity to Microsoft services
• Try alternative verification method

Conditional Access policy not applying:

• Review policy conditions and assignments
• Check for conflicting policies with higher priority
• Verify policy state is "On" not "Report-only"

Next Steps

After enabling MFA, consider these additional security measures:

• Enable Self-Service Password Reset (SSPR) with MFA
• Configure Identity Protection for risk-based policies
• Implement Privileged Identity Management for admin accounts
• Review Cloud Security Tips for 2026 for comprehensive cloud security guidance