Deploying Multi-Factor Authentication for Office 365

Multi-Factor Authentication (MFA) is now included in all O365 SKUs (except Small Business & Dedicated).

MFA enables you to require 2 or more of the following factors for users in your enterprise to authenticate to O365 services:

  • Something you know – a password or PIN
  • Something you have – a phone, smart card, or other token (like an SSL certificate)
  • Something you are – biometric – like fingerprint or retinal scan

Office 365 uses Windows Azure MFA (powered by PhoneFactor, acquired by msft in 2012). (

In this post, I’ll explain how to enable MFA for use with a smart phone. This gives you 3 options for verification:

  • Mobile Apps
  • Phone Calls
  • Text messages (OTP – one-time passcode)

You can enable MFA for single users or you can enable them for multiple users at a time via a CSV file import. You can also enable via PowerShell.

To enable MFA for O365 for a single user

  1. Log into the portal and navigate to admin center
  2. Select users and groups
  3. Click Set up next to Set Multi-factor authentication requirements
  4. Find the user and check the box next to their name
  5. Clicking enable brings up a pop-up


After enabling, you’ll need to send each user to this link to register for MFA:

User must sign-in and then presented with this prompt:

The user should select the contact method they prefer:

  1. Mobile phone: This method allows for either text message verification (a 6-digit code is sent via standard SMS messaging) or phone call (pressing # confirms you are the one logging in)
  2. Office phone: This method only allows for a phone call confirmation, similar to Mobile phone. However, Lync phone numbers are not supported.
  3. Mobile app: This method utilizes a mobile application on your smart phone. The mobile app receives a 6-digit code that is used as the second authentication method – similar to text messages. If selected, click the Configure button and follow the instructions for configuring the app for your mobile device.
    Windows Phone:
  4. Once you verify the app it will prompt you to verify each time you log in:

Apple iOS

Google Android

Windows Phone




  1. Once you choose a verification method and complete the verification steps, you’ll need to generate an App password. Office apps and mobile apps (like mail) must use this password instead of your normal password and it’s recommended you generate an app password for each device you intend to use.
  2. Once completed, you can always come back to this URL to make changes to your profile, change your password, or add additional authentication methods. You can also use this portal to access applications like SharePoint Online and Exchange Online (OWA).


To Enable MFA for users in bulk

After clicking Set-up for Multi-factor authentication from the Users and Groups page, click the Bulk Update button.

This will prompt you to provide a CSV file that contains two column headings: Username & MFA Status. A sample CSV file is displayed below:

Username, MFA Status, Enabled, Disabled, Disabled, Enabled, Enabled

After you import the CSV file and complete the update process, you’ll need to notify each user to go to the web page to configure their multi-authentication verification methods.

To Enable MFA via Remote PowerShell

You can use the following PowerShell commands to enable or enforce multi-factor authentication for a single user, all users, or a bulk list of users via CSV. You must use the Windows Azure Active Directory Module for Windows PowerShell. You can find instructions on downloading and installing this module here.

The commands:

#Establish the StrongAuthenticatonRequirement object with the required RelayingParty settings for Office 365

$mfobject = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement

$mfobject.RelyingParty = "*"

$mfobject.State = "Enabled"

$mfauthenabled = @($mfobject)

$mfauthdisabled = @()



#Enable MFA for a single user

Set-MsolUser -UserPrincipalName -StrongAuthenticationRequirements $mfauthenabled



#Enable MFA for all users (please use with CAUTION!)

Get-MsolUser -All | Set-MsolUser -StrongAuthenticationRequirements $mfauthenabled



#Enable MFA for bulk list of users in a CSV file

$userlist = Import-Csv .Contoso-MFA.csv

foreach ($user in $userlist) {

    switch ($user."MFA Status") {

        "Enabled"  {Set-MsolUser -UserPrincipalName $user.username -StrongAuthenticationRequirements $mfauthenabled}

        "Disabled" {Set-MsolUser -UserPrincipalName $user.username -StrongAuthenticationRequirements $mfauthdisabled}





#Disable MFA for a single user

Set-MsolUser -UserPrincipalName -StrongAuthenticationRequirements $mfauthdisabled