2fa Outlook

-->

Based on your understanding of multi-factor authentication (MFA) and its support in Microsoft 365, it's time to set it up and roll it out to your organization.

Two-step verification helps protect you by making it more difficult for someone else to sign in to your Microsoft account. It uses two different forms of identity: your password, and a contact method (also known as security info). Even if someone else finds your password, they'll be stopped if they don't have access to your security info. Using the method described previously to bypass 2FA it is still possible to read emails of the allegedly protected account through Exchange Web Services. By directing MailSniper to authenticate to outlook.office365.com as the ExchHostname the mailbox of the target user can still be accessed bypassing the two-factor protection.

Important

If you purchased your subscription or trial after October 21, 2019, and you're prompted for MFA when you sign in, security defaults have been automatically enabled for your subscription.

Before you begin

  • You must be a Global admin to manage MFA. For more information, see About admin roles.
  • If you have legacy per-user MFA turned on, Turn off legacy per-user MFA.
  • If you have Office 2013 clients on Windows devices, turn on Modern Authentication for Office 2013 clients.
  • Advanced: If you have third-party directory services with Active Directory Federation Services (AD FS), set up the Azure MFA Server. See advanced scenarios with Azure AD Multi-Factor Authentication and third-party VPN solutions for more information.

Turn Security defaults on or off

For most organizations, Security defaults offer a good level of additional sign-in security. For more information, see What are security defaults?

If your subscription is new, Security defaults might already be turned on for you automatically.

You enable or disable security defaults from the Properties pane for Azure Active Directory (Azure AD) in the Azure portal.

  1. Sign in to the Microsoft 365 admin center with global admin credentials.
  2. In the left nav choose Show All and under Admin centers, choose Azure Active Directory.
  3. In the Azure Active Directory admin center choose Azure Active Directory > Properties.
  4. At the bottom of the page, choose Manage Security defaults.
  5. Choose Yes to enable security defaults or No to disable security defaults, and then choose Save.

If you have been using baseline Conditional Access policies, you will be prompted to turn them off before you move to using security defaults.

  1. Go to the Conditional Access - Policies page.
  2. Choose each baseline policy that is On and set Enable policy to Off.
  3. Go to the Azure Active Directory - Properties page.
  4. At the bottom of the page, choose Manage Security defaults.
  5. Choose Yes to enable security defaults and No to disable security defaults, and then choose Save.

Use Conditional Access policies

If your organization has more granular sign-in security needs, Conditional Access policies can offer you more control. Conditional Access lets you create and define policies that react to sign in events and request additional actions before a user is granted access to an application or service.

Important

Turn off both per-user MFA and Security defaults before you enable Conditional Access policies.

2fa on outlook

Conditional Access is available for customers who have purchased Azure AD Premium P1, or licenses that include this, such as Microsoft 365 Business Premium, and Microsoft 365 E3. For more information, see create a Conditional Access policy.

Risk-based conditional access is available through Azure AD Premium P2 license, or licenses that include this, such as Microsoft 365 E5. For more information, see risk-based Conditional Access.

For more information about the Azure AD P1 and P2, see Azure Active Directory pricing.

Turn on Modern authentication for your organization

For most subscriptions modern authentication is automatically turned on, but if you purchased your subscription before August 2017, it is likely that you will need to turn on Modern Authentication in order to get features like Multi-Factor Authentication to work in Windows clients like Outlook.

  1. In the Microsoft 365 admin center, in the left nav choose Settings > Org settings.
  2. Under the Services tab, choose Modern authentication, and in the Modern authentication pane, make sure Enable Modern authentication is selected. Choose Save changes.

Turn off legacy per-user MFA

If you have previously turned on per-user MFA, you must turn it off before enabling Security defaults.

  1. In the Microsoft 365 admin center, in the left nav choose Users > Active users.
  2. On the Active users page, choose Multi-factor authentication.
  3. On the multi-factor authentication page, select each user and set their Multi-Factor auth status to Disabled.
2fa outlook 2016

Next steps

2fa Outlook

Related content

Turn on multi-factor authentication (video)

Turn on multi-factor authentication for your phone (video)

-->

Based on your understanding of multi-factor authentication (MFA) and its support in Microsoft 365, it's time to set it up and roll it out to your organization.

Important

If you purchased your subscription or trial after October 21, 2019, and you're prompted for MFA when you sign in, security defaults have been automatically enabled for your subscription.

Before you begin

  • You must be a Global admin to manage MFA. For more information, see About admin roles.
  • If you have legacy per-user MFA turned on, Turn off legacy per-user MFA.
  • If you have Office 2013 clients on Windows devices, turn on Modern Authentication for Office 2013 clients.
  • Advanced: If you have third-party directory services with Active Directory Federation Services (AD FS), set up the Azure MFA Server. See advanced scenarios with Azure AD Multi-Factor Authentication and third-party VPN solutions for more information.

Turn Security defaults on or off

For most organizations, Security defaults offer a good level of additional sign-in security. Free essential graphics premiere pro. For more information, see What are security defaults?

If your subscription is new, Security defaults might already be turned on for you automatically.

You enable or disable security defaults from the Properties pane for Azure Active Directory (Azure AD) in the Azure portal.

  1. Sign in to the Microsoft 365 admin center with global admin credentials.
  2. In the left nav choose Show All and under Admin centers, choose Azure Active Directory.
  3. In the Azure Active Directory admin center choose Azure Active Directory > Properties.
  4. At the bottom of the page, choose Manage Security defaults.
  5. Choose Yes to enable security defaults or No to disable security defaults, and then choose Save.

If you have been using baseline Conditional Access policies, you will be prompted to turn them off before you move to using security defaults.

  1. Go to the Conditional Access - Policies page.
  2. Choose each baseline policy that is On and set Enable policy to Off.
  3. Go to the Azure Active Directory - Properties page.
  4. At the bottom of the page, choose Manage Security defaults.
  5. Choose Yes to enable security defaults and No to disable security defaults, and then choose Save.

Use Conditional Access policies

2fa

If your organization has more granular sign-in security needs, Conditional Access policies can offer you more control. Conditional Access lets you create and define policies that react to sign in events and request additional actions before a user is granted access to an application or service.

Important

Turn off both per-user MFA and Security defaults before you enable Conditional Access policies.

Conditional Access is available for customers who have purchased Azure AD Premium P1, or licenses that include this, such as Microsoft 365 Business Premium, and Microsoft 365 E3. For more information, see create a Conditional Access policy.

Risk-based conditional access is available through Azure AD Premium P2 license, or licenses that include this, such as Microsoft 365 E5. For more information, see risk-based Conditional Access.

For more information about the Azure AD P1 and P2, see Azure Active Directory pricing.

Turn on Modern authentication for your organization

For most subscriptions modern authentication is automatically turned on, but if you purchased your subscription before August 2017, it is likely that you will need to turn on Modern Authentication in order to get features like Multi-Factor Authentication to work in Windows clients like Outlook.

  1. In the Microsoft 365 admin center, in the left nav choose Settings > Org settings.
  2. Under the Services tab, choose Modern authentication, and in the Modern authentication pane, make sure Enable Modern authentication is selected. Choose Save changes.

Turn off legacy per-user MFA

2fa Outlook 2016

If you have previously turned on per-user MFA, you must turn it off before enabling Security defaults.

  1. In the Microsoft 365 admin center, in the left nav choose Users > Active users.
  2. On the Active users page, choose Multi-factor authentication.
  3. On the multi-factor authentication page, select each user and set their Multi-Factor auth status to Disabled.

Next steps

Hotmail Two Factor Authentication

Related content

Turn on multi-factor authentication (video)

Turn on multi-factor authentication for your phone (video)