Skip to main content
Search
< All Topics
Print

How to Set Up MFA on Microsoft 365

Posted
Updated
ByKartik Periasamy


📄 Microsoft 365 & Email
🕑 6 min read
Cybergate IT Team
Microsoft 365 MFA Multi-Factor Authentication setup
MFA blocks over 99.9% of account compromise attacks – it is the single most important security control for Microsoft 365.

Multi-Factor Authentication (MFA) requires users to verify their identity with a second factor – typically a push notification on their phone – in addition to their password. Even if an attacker steals or guesses a user’s password, they cannot log in without also having the user’s phone. This guide covers enabling MFA organisation-wide and the steps individual users follow to register.

Enable MFA Before a Breach, Not After

Microsoft reports that organisations without MFA are over 50 times more likely to experience account compromise. Every Microsoft 365 account without MFA is a liability. Enable it for all users, starting with admin accounts.

Part 1: Admin – Enable MFA for the Organisation

There are two approaches. Security Defaults is simpler and suitable for most SMEs. Conditional Access offers more control and requires Microsoft 365 Business Premium or higher.

Option A: Enable Security Defaults (Recommended for SMEs)

admin.microsoft.com Azure Active Directory Properties Manage Security Defaults
1

Enable Security Defaults

Go to admin.microsoft.com and sign in with a Global Administrator account. Navigate to Azure Active Directory > Properties. Scroll to the bottom and click Manage Security Defaults.

In the panel that opens, set Enable Security Defaults to Yes. Click Save.

Security Defaults enforces:

  • MFA registration required for all users
  • MFA required for all administrator logins
  • MFA required when Microsoft detects risky sign-ins
  • Legacy authentication protocols blocked (POP3, IMAP, basic auth)
Blocking Legacy Authentication May Break Some Apps

If your organisation uses apps that connect via IMAP, POP3 or basic authentication (some older email clients, third-party integrations), enabling Security Defaults will break them. Test in a small group first or switch to Conditional Access for more granular control.

Option B: Conditional Access (Business Premium and above)

2

Create a Conditional Access Policy

In the Microsoft 365 admin centre, go to Security > Conditional Access > Policies > New policy.

  • Name: Require MFA for all users
  • Users: All users (or select specific groups)
  • Cloud apps: All cloud apps
  • Grant: Require multi-factor authentication

Set the policy to On and save. Users will be required to complete MFA on their next sign-in.

Microsoft 365 admin centre security settings
Access MFA settings through the Microsoft 365 admin centre under Azure Active Directory.

Part 2: User – Register MFA Methods

3

Go to the MFA Registration Page

Each user must register their MFA method. Direct users to: aka.ms/mfasetup

Sign in with the Microsoft 365 work account. The system will prompt to set up additional security verification. Click Next.

4

Install Microsoft Authenticator App

On the user’s smartphone, download Microsoft Authenticator:

  • iPhone: App Store > search Microsoft Authenticator > Install
  • Android: Google Play > search Microsoft Authenticator > Install

On the registration page, select Authenticator app as the method. Click Download now for instructions, then click Next.

5

Scan the QR Code

Open the Microsoft Authenticator app on the phone. Tap the + button to add an account. Select Work or school account. Tap Scan a QR code.

Point the phone camera at the QR code displayed on the computer screen. The account will be added automatically. Click Next on the computer.

A test notification will be sent to the phone. Approve it on the Authenticator app. Click Next to complete registration.

6

Add a Backup Method

After registering the Authenticator app, add a phone number as a backup method. Click Add sign-in method and select Phone. Enter a Malaysian mobile number in international format: +60 12-345 6789. Choose SMS or call. Enter the verification code received to confirm.

Having two registered methods ensures users can still authenticate if they change phones or lose access to the Authenticator app.

Part 3: Test the MFA Login

7

Verify MFA Is Working

Sign out of Microsoft 365 completely. Open a browser in incognito/private mode and go to office.com. Enter the email address and password as usual. After entering the password, a prompt will appear asking to Approve the request in the Authenticator app, or to enter a 6-digit code from the app.

Approve on the phone. Access is granted. MFA is working correctly.

MFA Is Now Active

Any sign-in from an unrecognised device or location will require MFA approval. Staff should be briefed not to approve Authenticator notifications they did not initiate themselves – an unexpected approval request means someone is trying to access their account.

Need IT Help in Malaysia?

Cybergate provides Microsoft 365 Malaysia for businesses across Malaysia. Our team is available Monday to Saturday, 9am to 6pm.

📞 Get Free Help
🛤 WhatsApp Us

Frequently Asked Questions

Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) refer to the same concept – requiring more than one form of verification to sign in. MFA is the broader term that can include two or more factors. In Microsoft 365, MFA typically means a password plus an approval from the Microsoft Authenticator app or an SMS code.

The IT admin can reset a user’s MFA methods in the Microsoft 365 admin centre. Go to Users > Active Users, select the user, click Manage multifactor authentication and choose Reset. The user will be prompted to register new MFA methods on their next login. For this reason, it is good practice to have users register two methods (app + phone number).

Yes, using Conditional Access in Microsoft 365. You can require MFA for admins only, for external access only, for specific applications like SharePoint or for all users. Conditional Access requires Microsoft 365 Business Premium, E3 or higher. For Business Basic or Standard, Security Defaults enforces MFA for all users.

MFA blocks over 99.9% of automated account compromise attacks according to Microsoft. It does not protect against all phishing attacks (adversary-in-the-middle phishing can bypass app-based MFA) but it eliminates the risk of pure password attacks. Combined with DMARC, email filtering and security awareness training, MFA is the most impactful single security control for Microsoft 365.

CG
Cybergate IT Team
Managed IT support for Malaysian businesses since 2014. Microsoft Partner · Fortinet Technology Partner. About Us

Related Articles

Knowledge Base
How to Set Up a New Windows 11 PC for Business


Knowledge Base
How to Create a Shared Mailbox in Microsoft 365

Table of Contents