Microsoft Office 365 MFA Setup: What Admins Need to Know

In November 2024, Microsoft announced that multi-factor authentication (MFA) would become mandatory for all administrator accounts across Microsoft 365 (formerly Office 365), Azure, and Intune. Starting in 2025, admins without MFA enabled will no longer be able to access Microsoft’s admin portals.

This rollout is happening in phases at the tenant level, and administrators who haven’t yet configured MFA will need to update their settings to stay compliant. This post explains how to set up Office 365 MFA to meet Microsoft’s new requirements and maintain access to critical services.

Backup for Microsoft 365 Data

Use the NAKIVO solution to back up Microsoft 365 data in Exchange Online, Teams, OneDrive and SharePoint Online for uninterrupted workflows and zero downtime.

DISCOVER SOLUTION

What Is Multi-Factor Authentication (MFA) in Microsoft 365?

Multi-factor authentication (MFA) is a security process that authenticates users in a system using more factors than just a password. MFA requires using multiple forms of authentication, including:

• Something you know (password).
• Something you have (a security key, a phone with an SMS confirmation code or a smartphone with an authenticator application).
• Something you are (fingerprint or face recognition).

For Microsoft 365 MFA, a password and a smartphone authenticator application are required. SMS codes are deprecated. Once an administrator enters a password, a QR code must be scanned in the authenticator app. To finish authentication, a one-time number code must be entered on the smartphone.

Why Microsoft Enforces MFA for Admin Accounts

Microsoft believes that multi-factor authentication can reduce the number of compromised accounts. An administrator account is the most important and is a prime target for cyberattacks since it has access to all users and settings within an organization (tenant). If an administrative account is hacked, the data of all users is compromised. Microsoft 365 MFA significantly reduces this risk.

Office 365 two-factor authentication can help block almost 99.9% of attacks. Brute force, credential stuffing, phishing and social engineering techniques are much less effective when MFA is enabled. Even if an attacker gets the admin’s credentials, it is impossible to log in without the second-factor confirmation that requires the admin’s device.

In addition to the Microsoft 365 admin center, the cloud applications affected by this policy include:

• Azure portal
• Microsoft Entra admin center
• Microsoft Intune admin center
• Azure command-line interface (Azure CLI)
• Azure PowerShell
• Azure mobile app
• Infrastructure as Code (IaC) tools
• REST API (Control Plane)
• Azure SDK

To access these resources, administrators must enable multi-factor authentication and finish Microsoft 365 MFA setup.

How to Set Up and Comply with Microsoft 365 Mandatory MFA

Administrators must enable Microsoft 365 MFA for all organization accounts (tenants) created before 2019. For tenants who started their Microsoft 365 subscription after 2019, MFA should be enabled in security defaults (if not disabled manually). It is important to note that after implementing mandatory Microsoft 365 MFA for all tenants, it will be impossible for administrators to log in without MFA. Regular users can use their passwords as a conventional authentication method when logging in to Microsoft 365 services.

Security defaults are Microsoft-enforced baseline policies to protect all users, and they include MFA for admins. These settings are enabled by default in new tenants.

When the phase of implementing mandatory Microsoft 365 MFA reaches your organization, the administrator will receive the following warning message when trying to log in to the admin center using the web interface:

To enhance security, Microsoft requires Multifactor authentication (MFA) when signing into the Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. You will now be redirected to complete the MFA sign-in process.

If you are not ready to satisfy MFA requirements, you can postpone enforcement for Organization_name (organization unique ID) tenant.

There are two options:

• Sign in with MFA
• Postpone MFA

If you click Postpone MFA, the Microsoft 365 MFA enforcement date will be in one month or September 30, 2025 (whichever is earlier).

The warning message is also sent via email to a Microsoft 365 administrator in the organization.

To enable security defaults for all Microsoft 365 users in your organization:

1. Sign in to the Azure portal as a global administrator, security administrator or Conditional Access administrator.
2. Go to Microsoft Entra ID and hit Properties.
3. Click Manage security defaults.
4. Set Security defaults to Enabled.
5. Click Save.

To enable Microsoft 365 MFA only for specific users, such as administrators, you can use the per-user MFA method in your directory.

1. Log in to the Microsoft Entra admin center as Administrator (at least as Authentication Administrator).
2. Go to Identity > Users > All users.
3. Click Per-user MFA.
4. Wait until the page displaying the user state opens, and you can change the MFA status for specific users.

To enable Microsoft 365 only for specific Microsoft 365 users, not for all Microsoft cloud services, you can follow these steps:

1. Log in to the Microsoft 365 admin center as an administrator.
2. Go to the multi-factor authentication settings. Click Users and hit Active Users.
3. Click Multi-Factor Authentication at the top of the Active Users page to open Microsoft 365 MFA settings.
4. Select users for whom you want to enable MFA (users with administrative privileges, in this context) by selecting the appropriate checkboxes.
5. Once done, click Enable in the Quick Steps area. Confirm the action when a confirmation message appears to enable MFA for Microsoft 365 administrators and selected users.

If you have already enabled multi-factor authentication for administrative accounts, no further actions are required.

If you have enabled MFA for specific users, you do not need to allow security defaults to enable MFA for administrators (there is no need to use both methods at once).

Once Microsoft finishes enrolling mandatory MFA for admin accounts for all tenants and the transition period expires (at the end of 2025), it will be impossible to log in to admin portals without MFA for Microsoft 365 administrators.

Benefits of Mandatory MFA in Microsoft 365

Administrators and users can encounter disadvantages when using Microsoft 365 MFA; however, the benefits are far greater. Keep in mind that configuring multi-factor authentication in Microsoft 365 does not require extra costs.

Microsoft 365 MFA allows organizations and their administrators to avoid the following negative consequences:

• Data breaches. Stealing an organization’s data can be devastating for the business. If malicious actors access emails, financial information, or individual users’ data, they can use this for more personalized attacks.
• Losing access. After getting administrative access to a Microsoft account, an attacker can change the credentials, making it impossible for the real account owner to log in and retrieve their data.
• Financial loss. A compromised account can cause downtime (operational disruption), data loss, ransom payments and legal (compliance) issues. Reputational loss is a significant factor that impacts customer relations and reduces revenue.

Mandatory Microsoft 365 MFA ensures that organizations using Microsoft cloud services can meet regulatory and compliance requirements(including GDPR, HIPAA, ISO 27001, NIST SP 800-63, etc.). Most regulations usually require multi-factor authentication.

How NAKIVO Supports Microsoft 365 Data Protection

NAKIVO Backup & Replication is a dedicated data protection solution that supports Microsoft 365 backup. It allows you to back up your data, easily recover it and quickly resume operations in case of a disruption, disaster or ransomware attack.

NAKIVO Backup & Replication includes the following features for Microsoft 365 backup and recovery:

• Backups of Exchange Online, OneDrive for Business, SharePoint Online and Microsoft Teams.
• Full and granular recoveries (specific objects, such as user accounts, emails, OneDrive files, SharePoint sites or Microsoft Teams chats). You can select the needed method for your specific recovery scenario.
• Data encryption is used when transferring Microsoft 365 backup data over the network and when storing it in a backup repository.
• You can store Microsoft 365 backup copies locally or in the cloud.
• NAKIVO Backup & Replication supports two-factor authentication when accessing the solution’s web interface. Together with Microsoft 365 MFA, it increases the overall security.
• Immutable backups ensure that ransomware cannot modify or delete Microsoft 365 data.
• The flexible retention settings in the NAKIVO solution allow you to use backup storage optimally and keep the needed recovery points for specified periods.

Conclusion

Enabling Office 365 two-factor authentication is no longer optional for administrators; it’s a requirement to maintain access and protect critical cloud services. By setting up MFA, admins can comply with Microsoft’s new security policies and reduce the risk of unauthorized access. Taking action now ensures a smooth transition before enforcement is fully rolled out. To strengthen your security posture further, consider implementing a Microsoft 365 backup solution alongside MFA.

Try NAKIVO Backup & Replication

Get a free trial to explore all the solution’s data protection capabilities. 15 days for free. Zero feature or capacity limitations. No credit card required.

Try for Free