Secure Microsoft 365: Master MFA & Access Control
Microsoft 365
Dec 22, 2023 6:30 PM

Secure Microsoft 365: Master MFA & Access Control

by HubSite 365 about Jonathan Edwards

No-Faffing Managed IT Support & Cyber Security Support. Made in Yorkshire, built for the UK.

AdministratorSecurityMicrosoft 365Learning Selection

Explore MFA, Security Defaults & Conditional Access for Microsoft 365—Enhance Your Business Security Today!

Key insights


Exploring Microsoft 365 Multi-Factor Authentication (MFA) Options

Ensuring the security of Microsoft 365 is essential, with multi-factor authentication (MFA) as a key method of protection. There are three MFA implementation modes: Per User, Security Defaults, and Conditional Access, which help safeguard your business from unauthorized access.

Multi-factor authentication (MFA) adds a robust layer of security, requiring multiple verification methods for user identity confirmation. Security Defaults provide basic, pre-configured security settings, which includes enforcing MFA, blocking outdated authentication, and requiring strong passwords.

Conditional Access offers advanced, customizable security measures based on user location, device, or risk level. With Conditional Access, businesses can establish intricate security policies that cater to their unique requirements.

  • MFA is easy to implement, requiring verification from all users in Azure AD Basic and Premium P1.
  • Security Defaults offer fundamental protection and are activated by default but can be further customized in Azure AD.
  • Conditional Access needs Azure AD Premium P2 or E5 and provides tight control over resource access by setting specific policies.

While MFA suits all organizations, Security Defaults and Conditional Access are better for businesses with particular security concerns.

Understanding Microsoft 365 MFA Strategies

MFA is a critical security feature that protects users by asking for multiple forms of identification before granting access to services and applications. Microsoft 365 advocates the use of MFA to strengthen account security. By enforcing additional verification steps, MFA significantly reduces the chances of unauthorized account access. Security Defaults are the ideal starting point for organizations seeking a hassle-free security upgrade, implementing essential measures without additional configuration. However, larger or more security-sensitive organizations may turn to Conditional Access policies. These policies grant the flexibility to ascertain meticulous access control based on specific conditions, providing a tailored security posture that aligns with the organization's risk management strategy. In summary, Microsoft 365 offers a range of MFA approaches to fit various security needs and priorities.


Jonathan Edwards dives deep into the subject of Microsoft 365 multifactor authentication (MFA) and its different implementations for businesses in his YouTube video. He examines three main ways to secure Microsoft 365 with MFA: Per user, Security defaults, and Conditional Access. The video is structured to help viewers understand which option might be best for their business needs.

These protective measures include Multi-factor authentication (MFA), which is vital for thwarting unauthorized access by requiring multiple verification steps. Security defaults provide a preset layer of protection against common cyber threats. Meanwhile, Conditional Access delivers fine-tuned control over resource access based on criteria like user location and device risk level.

Comparing the three, MFA stands as a basic defense, requiring multiple proofs of identity. Security defaults ensure a baseline security stance without extra setup effort. On the other hand, Conditional Access entails crafting tailored policies for heightened data safety, though it's more complex to manage.

Here's a quick comparison to clarify key differences:

  • Purpose: MFA thwarts unauthorized account access, Security defaults offer basic protection, and Conditional Access provides advanced controls.
  • Complexity: MFA is straightforward, Security defaults are user-friendly, and Conditional Access demands more intricate management.
  • Cost: All three are free with certain Azure AD plans, though Conditional Access needs a premium subscription.


MFA, a strong security step, is mandatory in Azure AD's basic plans. For those seeking simple solutions, Security defaults are enabled by default in Azure AD, with scope for additional adjustments. Conditional Access, while requiring a premium plan, grants granular policy application for specific scenarios or threats.

Each business has its own needs; where MFA is universally advisable, the choice between Security defaults and Conditional Access depends on the company's specific security requirements. Jonathan Edwards hopes his insights assist you in making an informed decision.



MFA, Security Defaults, and Conditional Access Explained

We all understand the need to secure Microsoft 365 with multi-factor authentication (MFA). Different businesses will have distinct requirements for implementing MFA. In today's session, we explore the three principal methods to enable MFA.

The options for implementing MFA include:

  • Per user
  • Security defaults
  • Conditional Access

MFA, security defaults, and conditional access are vital in safeguarding your organization. They consist of layers that verify a user's identity and offer protection against unauthorized access.

MFA combines two or more verification factors making it tough for attackers to compromise multiple credentials. It's a trusted method to secure your system against unauthorized entry.

Security defaults provide baseline security settings to shield accounts from prevalent threats. They encompass mandatory MFA for users, blocking outdated authentication methods, and ensuring robust passwords.

A more nuanced tool is conditional access. It lets you fine-tune access based on user location, device used, or perceived risk level, enabling tailored security protocols that fit your company's precise requirements.

The differences between these security methods are brief:

  • Purpose: MFA safeguards accounts; security defaults offer baseline protection; conditional access gives detailed security controls.
  • Complexity: MFA is straightforward; security defaults are user-friendly; conditional access requires more intricate management.
  • Cost: MFA has no charge; security defaults have no extra cost for Azure AD Basic or Premium P1 users; conditional access needs Azure AD Premium P2 or E5.

MFA serves as a basic yet effective defense for accounts, required for Azure AD Basic and Premium P1 users. It's adaptable, integrating with Azure AD and other MFA-supporting applications.

For those who seek a fundamental layer of security without the complexity of detailed policies, security defaults are ideal. These are active by default for Azure AD Basic and Premium P1, but you can adjust settings for finer control.

Conditional access stands as a robust barrier against various threats and is essential for Azure AD Premium P2 or E5. It allows for nuanced policies like enforcing MFA for selected users, restricting access based on geography or IP, and mandating compliant devices.

In summary, while all organizations will benefit from MFA, the selection between security defaults and conditional access should be dictated by your specific security demands. It's crucial to evaluate which option aligns best with your business objectives.

Security - Secure Microsoft 365: Master MFA & Access Control


People also ask

How do I change the security defaults in Office 365?

To change the security defaults in Office 365, you need to be an admin and go to the Azure portal. Once there, navigate to Azure Active Directory, and then to Properties. At the bottom of the Properties page, you’ll find the option to manage security defaults. Here, you can enable or disable security defaults, which include preconfigured security settings recommended by Microsoft.

How do I change the default MFA authentication in Office 365?

The default Multi-Factor Authentication (MFA) method for Office 365 can be changed in the Microsoft 365 admin center. Users can be directed to sign in, go to the My Account page, click on Security Info, and change or add a new MFA method. Users can choose from various options like a phone call, text message, app notification, and more.

Is Microsoft forcing security defaults?

Microsoft is not exactly forcing security defaults, but it is strongly recommending them and can automatically enable them for new tenants. Security defaults are designed to provide a basic security level for organizations that might otherwise not configure the necessary security measures. They are a free solution for any Microsoft 365 subscription.

What is the difference between security defaults and Conditional Access MFA?

Security defaults and Conditional Access MFA are both security features within Microsoft 365 designed to enhance protection. The main difference is that security defaults are a set of predefined settings that are meant to be easy to deploy for general security, while Conditional Access allows for more granular control over how and when MFA is applied based on various conditions such as user role, location, device state, and application sensitivity.



Microsoft 365 MFA, Security Defaults, Conditional Access, M365 Multifactor Authentication, Office 365 Security, Enable MFA Office 365, Understanding M365 MFA, Microsoft Security Defaults, Conditional Access Policy, MFA Security Best Practices