In this blog post, I am trying to share few tips on Microsoft 365 MFA policy and how to enable it using the new admin center. Microsoft 365 MFA policy is the evolution of the previous Microsoft Azure MFA and Office 365 MFA and its actually built on the same components. However, with the new admin center you have a more flexible and easy way of implementation.


Cloud / Business Shared Responsibility

A lot of people or organizations believe we are safe if we are moving to the cloud, unfortunately this is not true, in addition several companies got breached on the cloud. Back to the fundamentals we need to think of the shared responsibility between us and the cloud provider. First of all, you need to understand the model you are subscribed to in the cloud. For example, if its SaaS (Software as a service) Model then your responsibility will be the users and Data. Accordingly all your focus will have direct impact on users (Identity) and your data and how to secure both of them. That’s where things like Microsoft 365 MFA or Microsoft Azure MFA comes in the play.


Cloud Shared Responsibility


Why do I need MFA Nowadays?

I think the right question will be can I live without MFA? Identity protection is one of the main challenges in the cloud business model. All our users are logging now on any device, platform, OS and from any location. Although this model provides mobility and productivity, it introduces a lot of security concerns. In this multi-device and always-connected world passwords are no more enough. Regardless of how long and complex your password it can be revealed using different phishing attacks or social engineering.

Thinking of having a password only is scary especially with people who rarely change their password scheme. If your password is lost all access and resources are lost. Because of this we need to have an MFA (Multi Factor Authentication). An example of this is Microsoft 365 MFA or Microsoft Azure MFA. MFA offers another layer of security on top of the traditional password. For example you need to know your password and have your mobile phone to get SMS on it or time token app as Microsoft Authenticator.

Applying and enabling MFA used to be a very complex and costly process but again one of the benefits of the cloud is that you can leverage the existing MFA infrastructure as a service and use/enable the Microsoft 365 MFA policy across your organizations. This policy helps enforcing MFA, detecting non-compliant users and taking actions on risky ones.


How can I enable Microsoft 365 MFA policy?

Configuring Microsoft 365 MFA policy is super easy with the new admin center versus the old days of the Microsoft Azure MFA. First of all, I will login to Office 365 Portal and then click on the Admin tab. If the new admin center is not enabled, you will find a toggle switch on the top right to enable it.

Secondly you need to click on the Setup button as shown below. Microsoft 365 MFA policy is on your top setup settings.


Microsoft 365 MFA Policy



The next page gives you some useful information on MFA, what it protects? compliance achieved by enabling it. Finally, it is simple as clicking get started to enable Microsoft 365 MFA policy.


Turn on Microsoft 365 MFA policy



Next will come the policy details. Do you want to enable it for admins only or for all users? Is there any user that you would like to exclude? Maybe your break the Glass account! I am explaining it later in this post. Finally, you can customize few settings in your Microsoft 365 MFA Policy Or just create your policy and we are done.


Microsoft 365 MFA policy settings and exceptions



However, if you click on customize policies you are directed as shown below to the Azure conditional access. Remember all these policies were configured previously from Microsoft Azure MFA.


Microsoft Azure MFA conditional Access


Break the Glass Account


So, we mentioned earlier about excluding an account or more to be used as Break the Glass. The name comes from breaking the glass and using the fire alarm during fire. This means that these accounts are used during disaster and guess what it might means that MFA is down. In the beginning I mentioned that moving to the cloud doesn’t mean you are bulletproof. Disaster happens and sometimes you need to have a backup plan. For example, just imagine all your accounts are using Microsoft 365 MFA or Microsoft Azure MFA and the service went down. This means all your users including admins are not able to login. That’s the benefit of having an account excluded from MFA and any policy (just normal username and password).


This account is kept in a safe or electronic vault and never used except in danger. However, you should always protect this account with some compensating controls. Few organizations will create a use case in their SIEM solution (Security Information Event Management) that will trigger an alert if this account is used in login for example. This account should never be used except in disaster situations.



In this blog post I explained how you can easily enable your Microsoft 365 MFA policy to protect your identity. Key things to always remember is your responsibility in the cloud/User shared responsibility model. Check whether you are applying SaaS, IaaS or PaaS and think of your responsibility and how to protect it. I am using Microsoft 365 MFA policy, Microsoft Azure MFA, however use any tool you are comfortable with but always start by securing identities.