To enable Multi-Factor Authentication (MFA) for a single user in Office 365, you need to configure it through the Microsoft Entra admin center, which manages user identities for Office 365 services. This process involves navigating to the user's settings and initiating the MFA enrollment.
Understanding Per-User MFA
Per-user MFA is a method where you manually enable or disable MFA for individual user accounts. While highly effective for specific cases or small organizations, for larger environments, policy-driven Conditional Access (requiring a Microsoft Entra ID P1 license) offers more flexibility and automation. However, for a single user, the per-user method is straightforward and available with all Microsoft 365 subscriptions.
Required Permissions
To enable MFA for a user, you must have an administrative role with sufficient privileges. This typically includes:
- Authentication Policy Administrator
- Global Administrator
- User Administrator
These roles allow you to manage user authentication settings within your Microsoft Entra ID tenant.
Step-by-Step Guide to Enable Per-User MFA
Follow these steps to enable MFA for a specific user:
- Sign in to the Microsoft Entra admin center: Open your web browser and go to the Microsoft Entra admin center. Sign in using an account with the required administrative permissions (e.g., Global Administrator or Authentication Policy Administrator).
- Navigate to Users: In the left-hand navigation menu, expand Identity, then select Users, and finally click on All users. This will display a list of all user accounts in your directory.
- Select the User Account: Locate the specific user account for whom you want to enable MFA. You can use the search bar to find them quickly. Click on the user's name to open their profile details.
- Initiate MFA Configuration:
- Within the user's profile, you might see an option or a link related to "Per-user MFA" or "Manage multi-factor authentication for this user."
- Clicking this link will typically redirect you to the multi-factor authentication page, where you can manage MFA settings for all users.
- On this page, find and select the specific user again.
- Once the user is selected, you will see options on the right-hand side. Click on Enable MFA.
- Confirm Your Selection: A pop-up window will appear asking you to confirm your decision to enable MFA for the selected user. Confirm your selection.
Once enabled, the user's MFA status will change. Initially, it might show as "Enabled" (meaning they are required to register MFA), and after they register, it will show as "Enforced."
What Happens After Enabling MFA?
After you enable MFA for a user, the next time they sign in to an Office 365 service or application that requires authentication, they will be prompted to set up their multi-factor authentication methods. This setup process typically involves:
- Choosing a method: Such as using the Microsoft Authenticator app, a phone call, or a text message to a mobile device.
- Registering the method: Following on-screen instructions to link their chosen method to their account. For instance, scanning a QR code for the authenticator app or verifying a phone number.
Until the user successfully registers at least one MFA method, they will not be able to fully access their Office 365 services.
Managing User MFA Status
You can always review and change a user's MFA status from the same multi-factor authentication page accessed via the Microsoft Entra admin center.
| MFA Status | Description | User Experience | Common Action |
|---|---|---|---|
| Disabled | MFA is not required for the user. | User signs in with just username and password. | Click "Enable" to activate MFA. |
| Enabled | User is prompted to register MFA methods upon next sign-in. | User must register MFA before accessing services. | No action usually needed, user completes registration. |
| Enforced | User has registered MFA and is required to use it for every sign-in. | User signs in with username/password, then verifies identity using their registered MFA method. | Click "Disable" to remove MFA requirement, or "Manage user settings" to revoke existing MFA sessions. |
Practical Tips:
- Communicate with the user: Inform the user before enabling MFA so they know what to expect during their next login.
- Provide guidance: Offer instructions on how to register their MFA methods, especially if they are new to it. Microsoft's documentation on how to set up the Microsoft Authenticator app can be helpful.
- Revoke MFA sessions: If a user's device is lost or stolen, you can revoke their existing MFA sessions to force a re-authentication with new MFA prompts. This is done by selecting the user on the multi-factor authentication page and choosing "Manage user settings."
Advanced MFA with Conditional Access (Optional)
While per-user MFA is effective for individual users, for organizations requiring more granular control, such as only requiring MFA when accessing sensitive data, from untrusted networks, or from non-compliant devices, Microsoft Entra Conditional Access is the recommended approach. Conditional Access policies can apply MFA based on various conditions, including user group membership, location, device state, and application being accessed. This requires a Microsoft Entra ID P1 or P2 license.
