How to Set Up MFA for Microsoft 365 (Step-by-Step)

Overview

Multi-factor authentication (MFA) is the single most effective security control you can deploy. Microsoft reports that MFA blocks 99.9% of automated account compromise attacks. As of February 2026, Microsoft requires MFA for all admin access to the Microsoft 365 admin center.

This guide walks you through the three ways to enable MFA, from simplest to most flexible, and covers user enrollment with Microsoft Authenticator and passkeys.

Which Method Should You Use?

Method 1: Conditional Access (Recommended)

Step 1 — Create a break-glass account

Before enabling any MFA policies, create an emergency access account that is excluded from all Conditional Access policies. This prevents lockout if MFA systems fail.

1. Go to Microsoft Entra admin center (entra.microsoft.com) > Users > Create new user
2. Give it a name like BreakGlass-Admin
3. Assign the Global Administrator role
4. Set a long, complex password and store it in a physical safe
5. Do not enable MFA on this account
6. Set up an alert rule to notify you if this account is used

Step 2 — Create the Conditional Access policy

1. Go to entra.microsoft.com > Protection > Conditional Access > Create new policy
2. Name: Require MFA — All Users
3. Users: All users → Exclude your break-glass account
4. Target resources: All cloud apps
5. Grant: Require multi-factor authentication

For the strongest protection, use Authentication strengths instead of the basic MFA grant:

1. Under Grant, select Require authentication strength
2. Choose Phishing-resistant MFA (requires passkeys, FIDO2, or Windows Hello)
3. Or choose Multifactor authentication for the standard requirement

Step 3 — Start in Report-Only mode

Set the policy to Report-only first. Review sign-in logs for 1-2 weeks to identify any users or apps that would be blocked, then switch to On.

Step 4 — Block legacy authentication

Create a second policy to block clients that cannot support MFA:

1. Name: Block Legacy Authentication
2. Users: All users (exclude break-glass)
3. Target resources: All cloud apps
4. Conditions > Client apps: Select Exchange ActiveSync clients and Other clients
5. Grant: Block access

Method 2: Security Defaults (Quick Setup)

If you do not have a Conditional Access licence, Security Defaults enables MFA for all users with zero configuration.

1. Go to entra.microsoft.com > Identity > Overview > Properties
2. Click Manage security defaults
3. Set Security defaults to Enabled

This enforces:

• MFA registration for all users
• MFA challenge when signing in from a new device or location
• Block of legacy authentication protocols

Setting Up Microsoft Authenticator (User Guide)

Share these instructions with your users after enabling MFA.

Step 1 — Install the app

Download Microsoft Authenticator from:

• iOS: App Store
• Android: Google Play

Step 2 — Add your work account

1. Open the Authenticator app
2. Tap + > Work or school account > Scan QR code
3. Sign in to your Microsoft 365 account in a browser
4. When prompted to set up MFA, scan the QR code shown on screen
5. Approve the test notification on your phone

Step 3 — Enable number matching

Number matching is enabled by default since May 2023. When you approve a sign-in:

1. The sign-in screen displays a two-digit number
2. Your phone shows a prompt asking you to enter that number
3. Type the number and tap Yes

This prevents MFA fatigue attacks where someone approves a prompt they did not initiate.

Setting Up Passkeys (Strongest Option)

Passkeys are phishing-resistant because they are bound to a specific website — they cannot be tricked into authenticating to a fake login page.

Option A: Device-bound passkey (Windows Hello)

1. Sign in to mysignins.microsoft.com
2. Click Add sign-in method > Passkey (Windows Hello)
3. Follow the Windows Hello prompts (fingerprint, face, or PIN)
4. The passkey is stored on your Windows device's TPM

Option B: FIDO2 security key (hardware key)

1. Purchase a FIDO2 key (YubiKey 5 series, Google Titan, or Feitian)
2. Sign in to mysignins.microsoft.com
3. Click Add sign-in method > Security key
4. Insert the key and follow the prompts
5. Set a PIN for the key

Option C: Passkey in Authenticator (cross-device)

1. Open Authenticator > your work account > Set up passkey
2. Follow the prompts to register a passkey stored in the app
3. Works across devices — no hardware key needed

Verifying MFA Coverage

Check enrollment status

1. Go to entra.microsoft.com > Protection > Authentication methods > User registration details
2. Review which users have registered MFA methods
3. Filter by "MFA capable" = No to find unregistered users

Check enforcement via sign-in logs

1. Go to entra.microsoft.com > Monitoring > Sign-in logs
2. Add column: Conditional Access
3. Filter: Conditional Access = "Success" to see MFA-enforced sign-ins
4. Filter: Conditional Access = "Failure" to see blocked attempts

PowerShell report

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All"

# Get all users and their registered MFA methods
Get-MgUser -All | ForEach-Object {
    $methods = Get-MgUserAuthenticationMethod -UserId $_.Id
    [PSCustomObject]@{
        User    = $_.DisplayName
        UPN     = $_.UserPrincipalName
        Methods = ($methods | ForEach-Object { $_.AdditionalProperties['@odata.type'] -replace '#microsoft.graph.', '' }) -join ', '
        Count   = $methods.Count
    }
} | Sort-Object Count | Format-Table -AutoSize

Troubleshooting

Next Steps

• Set up Conditional Access policies for device compliance and location-based access
• Configure self-service password reset (SSPR) to reduce helpdesk tickets
• Enable Microsoft Entra ID Protection for risk-based MFA challenges
• Audit and remove any remaining app passwords