Multi-factor Authentication (MFA) via Security Defaults enforced on tenants by Microsoft (status)

Steel Contributor

Hi all,


- Security Defaults is enabled by default on all newly created Microsoft 365 tenants.

Microsoft has started enforcing Multi-factor Authentication (MFA) on all tenants.

- MFA will not be enforced on tenants using Conditional Access policies (at least one Azure AD Premium P1 license is required to be able to use Conditional Access policies).

- Self-service password reset (SSPR) will enforce Multi-factor Authentication on all accounts (and the breakglass account) but SSPR can be disabled.

Please check >Health > Message center regarding notification.

- Security Defaults requires all users to register for MFA within 14 days; however, users can postpone this registration. After 14 days, they will be forced to do the registration; however, this happens during interactive sign-ins.

- If a user doesn't perform the MFA registration and a bad actor figures out the user's password, they can register their phone or authentication app as an MFA method.


It is recommended:

- to use MFA company-wide because this security-feature prevents 99.9% of attacks on your accounts.

- to revoke existing tokens to require all users to register for multifactor authentication. This revocation event forces previously authenticated users to authenticate and register for multifactor authentication. 



1 Reply