Multi-Factor Authentication (MFA) enhances security by requiring users to provide an additional verification factor beyond their password. Enabling MFA for SharePoint helps prevent unauthorized access and protects sensitive business data.
This guide covers:
✔ What MFA is and why it’s important
✔ How to enable MFA for SharePoint users
✔ Best practices for managing MFA in SharePoint
1. What is Multi-Factor Authentication (MFA)?
MFA requires users to verify their identity using two or more authentication methods, such as:
🔹 Something you know – Password
🔹 Something you have – Mobile device, Authenticator app, SMS code
🔹 Something you are – Fingerprint, Face ID
By enabling MFA, even if a hacker steals a password, they cannot access SharePoint without the second factor.
2. Why Enable MFA for SharePoint?
Security Threats Without MFA:
❌ Stolen passwords – Weak or reused passwords make SharePoint vulnerable.
❌ Phishing attacks – Hackers trick users into revealing credentials.
❌ Brute force attacks – Automated tools guess passwords until they succeed.
Benefits of MFA:
✔ Stronger security – Blocks unauthorized access even if passwords are compromised.
✔ Compliance – Meets security requirements for GDPR, HIPAA, and ISO 27001.
✔ Flexible authentication options – Users can verify via Authenticator apps, SMS, or calls.
3. Enabling MFA for SharePoint (Microsoft 365 Admin Center)
Step 1: Sign in to Microsoft 365 Admin Center
1️⃣ Go to Microsoft 365 Admin Center.
2️⃣ Sign in with a Global Admin or Security Admin account.
Step 2: Navigate to MFA Settings
1️⃣ In the left panel, click Users > Active Users.
2️⃣ Click Multi-Factor Authentication under the “More” drop-down menu.
Step 3: Enable MFA for Users
1️⃣ Select the users or groups who need MFA.
2️⃣ Click Enable and confirm.
3️⃣ A notification appears: “Multi-Factor Authentication has been enabled.”
Tip: Instead of enabling MFA for every user manually, create a security policy to enforce it across the organization.
4. Enforcing MFA with Conditional Access (Recommended Approach)
For better security, use Conditional Access Policies in Microsoft Entra ID (Azure AD) instead of the basic MFA settings.
Step 1: Open Microsoft Entra (Azure AD) Admin Center
1️⃣ Go to Microsoft Entra Admin Center.
2️⃣ Click Security > Conditional Access.
3️⃣ Click + New Policy to create a new rule.
Step 2: Configure MFA Policy
1️⃣ Under Assignments, select Users and Groups.
2️⃣ Choose All users or specific groups (e.g., “All SharePoint Users”).
3️⃣ Under Cloud apps, select Office 365 (includes SharePoint).
4️⃣ Under Grant, select Require Multi-Factor Authentication.
5️⃣ Click Enable Policy > Create.
This method ensures that users must verify their identity before accessing SharePoint from untrusted locations or devices.
5. How Users Set Up MFA for SharePoint
Once MFA is enabled, users must set up their verification method during their next sign-in.
Step 1: Sign in to SharePoint Online
1️⃣ Go to SharePoint Online.
2️⃣ Enter username and password.
3️⃣ The system prompts users to set up MFA.
Step 2: Choose a Verification Method
Users can select from:
✔ Microsoft Authenticator App (Recommended)
✔ SMS code (Least secure option)
✔ Phone call verification
🔹 Tip: Microsoft Authenticator App is more secure than SMS because phone numbers can be spoofed or intercepted.
6. Managing MFA Settings
1️⃣ Reset MFA for a User
If a user loses their phone or changes devices:
1️⃣ Go to Microsoft Entra Admin Center > Users.
2️⃣ Select the affected user and click Authentication methods.
3️⃣ Remove the old method and ask the user to re-register.
2️⃣ Bypass MFA Temporarily
For emergencies (e.g., users are locked out), admins can:
1️⃣ Go to Users > MFA settings.
2️⃣ Select the user and disable MFA temporarily.
3️⃣ Re-enable MFA after troubleshooting.
3️⃣ Enable MFA for Admin Accounts
Always enforce MFA for all SharePoint administrators to prevent unauthorized control of your SharePoint environment.
7. Best Practices for MFA in SharePoint
✔ Enforce MFA for all users, especially admins and external collaborators.
✔ Use Conditional Access Policies instead of enabling MFA manually.
✔ Encourage users to use the Microsoft Authenticator app instead of SMS.
✔ Regularly review MFA sign-ins using Microsoft 365 Security logs.
✔ Train employees on MFA usage and recovery procedures.
8. Troubleshooting MFA Issues
❌ User locked out? – Reset their MFA settings in Microsoft Entra ID.
❌ Not receiving SMS codes? – Check phone number settings or switch to the Authenticator app.
❌ Blocked sign-in from unknown locations? – Configure Conditional Access rules correctly.
For advanced troubleshooting, visit Microsoft MFA Support.