There are countless articles and blog posts that describe the steps involved in enabling multifactor authentication for Microsoft 365. Even so, the process has changed significantly in recent months. In fact, the multifactor authentication option that once appeared in the Microsoft 365 admin center’s Users section no longer exists. As such, I wanted to take the opportunity to show you the new way to enable multifactor authentication. As I do, I’m also going to talk about some important considerations that you should think about before you enable multifactor authentication. (And look for a story by my colleague Sukesh Mudrakola about enabling multifactor authentication on an array of platforms other than Microsoft 365 to be published here at TechGenix tomorrow.)
Start with Azure AD admin center
Rather than going through the Microsoft 365 admin center, as was required in the past, you will need to begin the process by logging into Microsoft 365 and opening the Azure Active Directory admin center. Once the console opens, click on the Azure Active Directory tab, and then click on the Properties tab. You can see what this tab looks like in the figure below.
If you look at the bottom of the screen capture shown above, you will notice a Manage Security Defaults link located just beneath the Access Management for Azure Resources switch. When you click on this link, the console will open a side panel labeled Enable Security Defaults. You can see what this looks like in the next figure. All you need to do now is to set the switch to Yes to enable the security defaults.
You may have noticed that the Enable Security Defaults switch does not say anything about multifactor authentication. The reason for this is that when you enable security defaults, you are doing a lot more than just enabling multifactor authentication. In fact, there are five separate security settings that are tied to this switch. Enabling the security defaults does the following:
- Enabling the security defaults requires all users to register for multifactor authentication.
- When the security defaults are enabled, all administrators will be required to perform multifactor authentication.
- Once this setting is enabled, all legacy authentication protocols will be blocked and will no longer work.
- Users will be required to perform multifactor authentication whenever Azure Active Directory deems it necessary.
- Privileged activities, such as accessing the Microsoft Azure portal, will be protected by multifactor authentication.
Multifactor authentication for Microsoft 365: Quick-and-easy way
So as you can see, enabling the security defaults globally enables multifactor authentication and enables all related settings. This is the quick-and-easy way to enable multifactor authentication for all of your Microsoft 365 users. As handy as it may be to have a single switch that controls everything, however, enabling the security defaults might not always be the best course of action.
There are two very important things that you need to consider before you enable the security defaults. First, enabling the security defaults is a global operation. In other words, this is something that is going to impact all of your user accounts. The second thing that you need to think about is that when you enable the security defaults, legacy authentication protocols will be disabled. In other words, multifactor authentication is going to be the only means for authenticating into the Microsoft 365 environment.
On the surface, it may seem ideal to require multifactor authentication across the board. However, putting this type of blanket requirement into place can sometimes break things. For example, in my organization, I have several PowerShell scripts that require authentication into the Microsoft 365 environment. If I were to enable the security defaults, then these PowerShell scripts would most likely stop working.
Keep in mind that PowerShell isn’t the only thing that can experience problems if you enable multifactor authentication across the board. Certain types of mail clients can also have problems, as can third-party applications designed to interact with the Microsoft 365 ecosystem.
Microsoft’s recommendation is that smaller organizations go ahead and enable the security defaults. However, larger organizations, or those organizations with complex security requirements, are usually going to be better off using something called Conditional Access.
Using Conditional Access
Conditional Access is another way of enabling multifactor authentication but gives you a lot more granularity than what you have with the security defaults. Rather than applying a policy globally across your entire organization, you can carve out exceptions so that only certain users are subject to your multifactor authentication requirements. It is worth noting, however, that in order to use Conditional Access you are going to need an Azure AD Premium license.
To create a Conditional Access policy, click on the Security tab, followed by the Policies tab. Now, just click the New Policy button, and follow the prompts. You can see with the Conditional Access Policies page looks like in the figure below.
An in-depth discussion of Conditional Access policies is beyond the scope of this article. Still, I wanted to mention that Conditional Access policies allow you to do more than just enable or disable multifactor authentication for certain users. Conditional Access can be used to define conditions that act as a way of establishing trust. (For a detailed guide to Conditional Access in Microsoft Azure, click here.
To show you how this works, let’s suppose for a moment that the place where you work has really good physical security. As such, if a user is logging in from a device connected to your network, you can be relatively sure that the user is who they claim to be just by the fact that they are physically present in your office. Yes, I know that one user could log in as another user by using stolen credentials, but that isn’t really the point of what I am about to show you. The point is that your office is a trusted location, and Azure AD allows you to define it as such. Conditional Access gives you the option of creating a named location (usually based on an IP address range) and to treat that location as trusted. You can see what this looks like in the next figure.
In most situations, going ahead and enabling the security defaults is probably going to be fine. However, if you have complex security requirements, or if you already have an Azure AD Premium license, then you are probably better off using Conditional Access instead.
Featured image: Designed by Stories / Freepik