Multi-factor authentication is a non-negotiable baseline for tenants in Microsoft 365. In order to maintain bare-minimum cybersecurity in a Microsoft tenant, enforcing MFA for all users is a requirement. This crucial security feature can be implemented in many places. In step 5 of our Golden Tenant Microsoft 365 Setup Guide, we are looking in-depth at the different forms of MFA and the many places in Microsoft Entra ID that should be audited.
5 Types of MFA
1. Per-User MFA
Entra.microsoft.com> Users > All Users > Per-User MFA
This is the legacy version of enabling MFA for users. MFA enabled via Conditional Access Policies is the recommended standard for enabling MFA for Admins, Users, and Guest accounts.
Note: This is going to be deprecated in September of 2025.
2. Self-Service Password Reset (SSPR) MFA*
Entra.microsoft.com > Protection > Password reset > Authentication methods
Options selected here are the methods of MFA available to users who are signed up for Self-service Password Reset. In order to reset passwords, users will need to authenticate their MFA method to complete this action.
Note: This is also a legacy form of MFA that will be deprecated in September of 2025
3. Authentication Methods > Policies
Entra.microsoft.com > Protection > Authentication methods > Policies
Moving forward, methods for authentication will be managed here. These settings control MFA for first-time use, the types of MFA options available, and the enforcement of the policies. SSPR MFA and Per-user MFA methods are migrating and getting consolidated here.
4. MFA Registration Campaigns
Entra.microsoft.com > Protection > Authentication methods > Registration campaign
The Registration campaign is a great way to get MFA pushed out within a short timeframe without users postponing this action further. This enforces the Microsoft Authenticator app as the MFA method for users.
5. Conditional Access Policies
Entra.microsoft.com > Protection > Conditional Access > Policies
Conditional access policies offer more granular methods to control MFA enforcement across devices, users, and roles. We will be covering a few high-level MFA policies in this guide.
MFA Inconsistencies
As described above, there is an array of places and ways to enforce MFA in your tenant. This also means there is a lot of room for overlapping—and even contradictory—policies. We will often find a mix of the following:
- Administrators utilizing Per-User MFA to enforce MFA for all users
- Some admins have Self-Service Password Reset (SSPR) set up
- MFA was enforced via Registration Campaigns
- MFA is enabled via Conditional Access policies
- Authentication methods are configured for number matching
- Security Defaults are enabled so the tenant manages MFA itself
The most streamlined method of enforcing MFA is using Conditional Access Policies.
This allows you to specify the enforcement criteria and scope when creating MFA policies from scratch. MFA best practices urge you to use conditional access policies as the means of enforcing MFA.
The Complete Guide to Microsoft 365
Want full access to the ultimate Microsoft 365 deployment & security cheatsheet? Purchase our complete Golden Tenant now to get detailed instructions, in-depth explanations, and even personalized Microsoft consulting. Have peace of mind with the security of your Microsoft suite by using our CIS-compliant SOPs.
