How to Enable and Enforce MFA for All Users in Microsoft 365

Cyberattacks are everywhere.
The good news? 99.9% of account hacks can be stopped with MFA.

Still, many companies rely only on passwords. And that’s why we keep seeing big breaches that could have been prevented.

In 2025, MFA is no longer optional.
It’s now a must for every Microsoft 365 user.

This guide shows you how to enable and enforce MFA for all users in Microsoft 365 using app-based push notifications.

Why now?

• Microsoft is requiring MFA in more places.
• The shift to Microsoft Entra ID has raised the bar for identity security.
• Compliance rules like HIPAA, GDPR, and SOC 2 expect MFA for all logins.

This isn’t just a “click here, click there” tutorial.
You’ll also learn the pitfalls to avoid and the best practices that actually work.

By the end, you’ll have a clear, step-by-step plan to lock down Microsoft 365.

Multi-Factor Authentication (MFA) means you need two or more ways to prove who you are.
For example: something you know (password) + something you have (phone app approval).

Classic factors include:

• Knowledge: password or PIN
• Possession: phone or security key
• Inherence: fingerprint or face recognition

In Microsoft 365, MFA usually looks like password + Microsoft Authenticator code or a push notification.

Why App-Based Push MFA is Better

Instead of typing codes, app-based push MFA sends a notification to your device that you just approve.
It’s faster, easier, and harder for attackers to phish. Features like number matching make it even safer.

Microsoft 365 supports SMS, phone calls, OATH tokens, and apps.
But push notifications are the most secure and now the default in Security Defaults.

Microsoft has been pushing tenants to adopt MFA.
New tenants now get Security Defaults enabled by default, Exchange Online basic auth was disabled in 2022, and as of Oct 2024, MFA is mandatory for privileged roles.

Methods to Enforce MFA in Microsoft 365

1. Security Defaults
   A one-click, free solution.
   Every user must register MFA via an authenticator app, with a 14-day grace period. Simple, but all-or-nothing.
2. Conditional Access Policies
   Granular control using Entra ID (formerly Azure AD) Premium P1 or P2.
   You can require MFA for all users, specific groups, or conditions.
   Even enforce specific methods via authentication strength. Powerful, but requires premium licenses.

Quick compare: Security Defaults = easy; Conditional Access = flexible and enterprise-ready.
This highlights the key decision of security defaults vs Conditional Access for MFA enforcement.

Partial deployment leaves gaps.
Threat actors often target the least-protected accounts.
Even one user without MFA can trigger a breach.
Microsoft Secure Score recommends all users register MFA.

Licensing Notes

• Security Defaults: free, available on all plans
• Conditional Access: Entra ID (Formerly Azure AD) Premium P1 required
• MFA registration campaigns / Identity Protection: Entra ID (Formerly Azure AD) Premium P2 required

All Microsoft 365 plans include basic MFA capability.
So even Microsoft 365 Business Standard users can secure accounts using Security Defaults.

Before you flip the switch on MFA, a little prep goes a long way.

• Make sure you have the right admin role: Global Admin or Conditional Access Admin.
• Decide your enforcement method: Security Defaults (free, simple) or Conditional Access (requires Entra ID Premium licenses).
• Identify accounts to exclude, like break-glass admin accounts or service accounts. Microsoft recommends keeping at least two break-glass accounts exempted.
• Admins should be notified whenever a user logs in to break-glass accounts to detect any unusual activity. This helps ensure that any potentially unauthorized or suspicious access is quickly identified and investigated.
• Check for legacy authentication usage (older Office versions, POP/IMAP).
  Once MFA is enforced, legacy auth will be blocked automatically.

Pro tip: Run Entra ID sign-in logs or scripts to find legacy users and update them in advance.

• Send an email explaining what MFA is and why it matters (security + compliance).
• Tell users what to do: install Microsoft Authenticator app and approve push notifications.
• Consider a short training or share a quick guide.

Frame it positively: MFA is there to protect their accounts, not just a policy.

• Don’t enable MFA for everyone at once.
• Pilot with IT or a small department first, iron out issues, then expand.
• Time the rollout when IT can support extra requests – not right before deadlines.

• Ensure emergency access via pre-exempt accounts in case someone gets locked out.
• Plan for service accounts or users without smartphones.

Preparation prevents headaches.
It keeps users happy, avoids lockouts, and ensures a smooth app-based push MFA Microsoft 365 setup.

Security Defaults are a predefined set of security settings in Entra ID.
They require all users to register for MFA using the Microsoft Authenticator app.

Perfect for smaller orgs or those without premium licenses, Security Defaults are free and simple.

Limitations? You cannot exclude users or fine-tune conditions.

If your tenant doesn’t have Conditional Access capabilities, Security Defaults are likely already enabled by default.

This image displays the security default settings that are automatically enabled when no conditional access policies are configured.

1. Sign in to the Microsoft Entra admin center as a Global Admin (or at least the Conditional Access Administrator role).
2. In the left-hand menu, go to Entra ID > Overview > Properties.

3. Scroll down to Security Defaults section and choose Manage Security Defaults option.
4. In the pane that appears, set Security Defaults to Enabled.

5. Click Save. Confirm it’s enabled – Microsoft will start requiring MFA for all users.

• Users who haven’t set up MFA will be prompted to register at next login.
• They have 14 days to complete registration; after that, login requires MFA.
• Only Authenticator app push or code is allowed SMS/voice is blocked.
• Admins must do MFA every login; regular users get prompts when necessary (new device, risky sign-in).
• Legacy authentication is blocked automatically, protecting your environment - but may break old scripts or Outlook clients.

• If some accounts cannot do MFA (old devices, service accounts), consider Conditional Access instead.
• Ensure modern authentication is enabled to avoid issues with older clients.
• To switch later, just toggle Security Defaults off and move to Conditional Access.

Security Defaults offer a quick, straightforward solution.
It’s ideal for small businesses or anyone who wants to enforce MFA for all users Microsoft 365 using Security Defaults.
And by default, it enforces app-based push MFA, making your environment more secure.

Who should use Conditional Access for MFA?

• If your organization has complex security requirements or must comply with specific security standards, use Conditional Access to enforce Multi-Factor Authentication (MFA) for all users.
• Conditional Access offers more flexibility and control over how and when MFA is required, helping you meet your unique security needs.
• Organizations with Microsoft Entra ID P1 or P2 licenses should prefer Conditional Access, as security defaults are likely insufficient for advanced security scenarios.

Why Do Large Companies Choose Conditional Access for MFA?

•  Customizable: Target specific users, groups, or roles.
•  Context-aware: Apply MFA based on location, device, or risk level.
•  App-specific: Enforce MFA only for sensitive applications.
•  Risk-based access: Respond to sign-in risk dynamically.
•  Better reporting: Detailed logs and insights for compliance.
•  Exclusions possible: Exclude service or break-glass accounts.
•  Improved user experience: Avoid unnecessary MFA prompts.
•  Scalable: Ideal for medium to large organizations.

You must disable Security Defaults before enabling Conditional Access policies for MFA in Microsoft Entra ID.

1. Go to the Microsoft Entra admin center → https://entra.microsoft.com

2. Navigate to Protection > Conditional Access > Policies.
3. Click + New policy.

4. Name it something like ‘Multifactor authentication for Microsoft’.

5. Configure Assignments:

• Under Include: Select All users

• Under Exclude: Select Users and groups

• • Choose your organization's emergency access or break-glass accounts.
  • If you use hybrid identity solutions like Microsoft Entra Connect or Microsoft Entra Connect Cloud Sync, select Directory roles, then select Directory Synchronization Accounts

• Under Target resources > Include > All resources (formerly 'All cloud apps').

6. Under Access controls > Grant, select Grant access.

• • Select Require Multifactor authentication.

7. Confirm your settings and set Enable policy to Report-only.
8. Select Create to create to enable your policy.

Once MFA is enforced, monitoring adoption is key.
Check Entra ID Sign-in logs for MFA errors – see which users are having trouble.

Use Entra ID reports or Microsoft Secure Score to track compliance.
Secure Score shows “MFA for all users” improvement and lists non-compliant users.

You can also use Azure Monitor or Workbooks to visualize MFA trends.
See success vs failures over time and ensure adoption meets expectations.

To make monitoring easier, we’ve built a Power Automate Flow that tracks MFA method registration changes.
It uses Microsoft Graph API to check for any changes every 30 minutes and sends email alerts to both admins and end users when a change is detected.
This ensures users and administrators are promptly informed of any updates to MFA methods, helping to quickly identify potential security issues.

Quick Tip: Set up the flow immediately after enabling MFA to start monitoring new registrations and changes.

Collect feedback from users after rollout.
Are they struggling with the app? Do they understand the new process?
Prepare helpdesk answers (FAQs) for common MFA push notification issues.

• If a user loses a phone or gets a new device, reset their MFA registration in Entra ID (Authentication methods blade).
• Periodically review exclusion accounts to ensure break-glass accounts remain secure.
• Stay updated on new MFA features like Number Matching, which helps prevent push fatigue.

For more advanced configurations, consider setting up MFA policies that apply only to unmanaged devices to enhance security.

Once MFA is stable, consider moving toward passwordless authentication (FIDO2 keys, etc.).
MFA is just the first step in building a stronger security posture.

Monitoring and maintenance turns MFA from a setup task into a reliable, ongoing protection.
This ensures your Microsoft 365 environment stays secure and users stay supported.

• Microsoft Security Specialists: Proven expertise in deploying secure authentication solutions across Microsoft 365 and Entra ID.
• Certified & Experienced Team: Our consultants hold advanced Microsoft certifications and have hands-on experience with Security Defaults, Conditional Access, and app-based push MFA.
• Compliance-Driven Approach: We help you meet regulatory requirements (HIPAA, GDPR, SOC 2) with robust, enterprise-grade MFA strategies.
• Seamless Rollout & Support: From planning and pilot to full deployment and ongoing monitoring, we guide you through every step - minimizing disruption and maximizing security.
• Continuous Improvement: We don’t just set up MFA - we help you monitor, optimize, and evolve your security posture with advanced features and best practices.

Ready to protect every Microsoft 365 user with secure, app-based MFA?

Schedule a free consultation today and let our experts design, deploy, and support the right MFA solution for your organization.

By enforcing MFA for all users in Microsoft 365 - especially with app-based push notifications - you’ve dramatically improved your organization’s security.
Remember: 99.9% of common account attacks can be blocked with MFA.

We’ve seen companies transform their security almost overnight by rolling out MFA.
Yes, there may be some initial hiccups, but the payoff is huge: lower risk of breaches and higher user security awareness.

Next Steps

• Explore passwordless authentication (FIDO2 keys, Windows Hello) as a future upgrade.
• Keep monitoring and updating policies. Security is ongoing - use Entra ID reports and MFA logs.
• Educate users continuously. Consider phishing simulations to reinforce good habits.

Additionally, explore strategies to prevent sensitive file downloads on mobile devices

to protect your data.

MFA isn’t just a checkbox - it’s a shield for your users and data, and tools like this flow make maintaining security even simpler.

Q1: How to enforce app-based push MFA for all users in Microsoft 365?
A: Use Security Defaults for a quick setup (forces all users to register with Authenticator in 14 days) or Conditional Access for granular control. Limit allowed methods to app notifications to enforce push MFA.

Q2: What is app-based push MFA and how do I enable it?
A: It sends a login approval request to the user’s Authenticator app instead of SMS or codes. Enable MFA via Security Defaults or Conditional Access, then guide users to select “Receive notifications for verification” during setup.

Q3: Can I require Authenticator push as the only MFA method?
A: Yes. Use Entra ID Authentication Methods Policy to disable SMS/voice, leaving only Authenticator app options. Combine with Conditional Access to enforce push for all logins.

Q4: How do I enforce MFA via app push using Conditional Access?
A: Create a Conditional Access policy targeting all users and apps, choose Require MFA, and limit allowed methods to Authenticator app push. Test first in report-only mode, then enable fully.

Q5: Which licensing is needed for app-based push MFA?
A: Basic MFA works with any plan. For Conditional Access, Entra ID Premium P1 is required; for registration campaigns or risk-based policies, Premium P2 is needed.

Q6: How to launch an MFA registration campaign for app push?
A: In Entra ID portal: Identity Protection > MFA Registration Campaign, target all users, and specify Microsoft Authenticator. Users get reminders until registration is complete.

Q7: Users aren’t receiving Authenticator push notifications – what now?
A: Check app installation, notifications enabled, and internet connectivity. Confirm device isn’t restricted (e.g., China). Re-register MFA if needed. Ensure Conditional Access or network rules aren’t blocking notifications.

Q8: Users get too many MFA prompts (fatigue) – any tips?
A: Enable remembered devices, use Conditional Access to only prompt for risky sign-ins, turn on Number Matching to prevent blind approvals, and educate users on expected MFA behavior.

Q9: Can certain users be excluded?
A: Security Defaults: no exclusions. Conditional Access: yes, for break-glass or service accounts only. Never exclude normal users - MFA for all is the goal.

Q10: Does enabling MFA log users out?
A: Not immediately. Users are prompted at next login or token refresh. Notify users to expect login prompts during rollout.

Q11: Users without smartphones – what to do?
A: Use fallback options like hardware tokens or limited SMS for exceptional cases. Educate users on why the app is more secure.

Q12: Some old apps stopped working after MFA – why?
A: Likely legacy authentication. Update apps to support modern auth or use app passwords temporarily. Phase out legacy apps when possible.

Q13: How do I turn on MFA for all users in Office 365 / Teams?
A: Enable Security Defaults or use Conditional Access policies targeting all users. Security Defaults is fastest for small orgs; Conditional Access is better for fine-tuned control.

Q14: How to check if MFA is enabled for all users?
A: Check Entra ID Sign-in logs, Secure Score, or MFA reports in Entra ID. It shows who is compliant and who still needs setup.

Q15: Is MFA mandatory in Microsoft 365?
A: For admins and privileged roles, yes. Microsoft is pushing MFA for all users, and regulations like HIPAA and GDPR increasingly expect it. Security Defaults enforce it by default for new tenants.

Q16: Is Microsoft MFA enabled by default?
A: New tenants: Security Defaults are enabled by default, requiring MFA via the Authenticator app. Existing tenants need manual activation.