Microsoft Entra ID multi-factor authentication is a critical security feature that prevents unauthorized access to a Microsoft 365 tenant.
The licensing requirements to get Entra ID MFA are based on your users’ Entra ID license.
To get MFA, you will need one of the following.
- Microsoft Entra ID P1 or P2 license
- Microsoft 365 Business
If you don’t have one of the above, you can get Entra ID MFA for all your users when the Entra ID Security defaults feature is enabled (enabled by default on all tenants).
By default, Global Administrators users are enabled for MFA.
The problem with the Security defaults feature is that it applies to all users on a tenant level, which means you can’t disable MFA per user or exclude users from MFA.
The above can be an issue for many organizations that opt to turn off Security defaults and enforce MFA using Conditional Access.