Multi-Factor Authentication (MFA) adds an extra layer of security by requiring users to verify their identity using two or more authentication methods. Enabling MFA in SharePoint Online helps protect against unauthorized access, phishing attacks, and data breaches.
This guide provides a step-by-step process to enable MFA for SharePoint Online through Microsoft Entra ID (formerly Azure AD).
1. Understanding Multi-Factor Authentication (MFA)
✔ What is MFA?
MFA requires users to provide at least two forms of authentication before accessing their SharePoint Online account:
- Something they know – Password
- Something they have – Mobile device, security key, or authentication app
- Something they are – Biometric (fingerprint, face recognition)
✔ Why Enable MFA for SharePoint Online?
Prevents unauthorized access to sensitive data
Protects against phishing attacks and credential theft
Strengthens compliance with security regulations (e.g., GDPR, HIPAA)
Works with Microsoft 365 apps (Teams, Outlook, OneDrive)
2. How to Enable MFA for SharePoint Online Users
Step 1: Access the Microsoft Entra Admin Center
- Sign in to the Microsoft Entra Admin Center:
https://entra.microsoft.com - Click Protection → Conditional Access.
- Select Policies to create a new MFA policy for SharePoint Online.
Step 2: Create a Conditional Access Policy for MFA in SharePoint Online
- Click New Policy → Create new policy.
- Enter a policy name (e.g., “Require MFA for SharePoint Online”).
- Under Assignments → Users, select:
- All users (recommended) OR
- Specific groups (e.g., Admins, Finance, HR).
- Under Cloud apps or actions, select SharePoint Online.
- Under Access controls → Grant, select Require multi-factor authentication.
- Click Enable policy → Create.
This ensures MFA is enforced when users access SharePoint Online.
Step 3: Enable Security Defaults for MFA (Alternative Method)
If you don’t have Conditional Access, you can enable Security Defaults:
- Sign in to Microsoft Entra Admin Center.
- Go to Identity → Properties.
- Under Manage security defaults, click Yes.
- Click Save.
This enables MFA for all users in your tenant automatically.
3. User Experience: How Users Set Up MFA
Once MFA is enabled, users must set up authentication on their first login:
- Sign in to Microsoft 365.
- A prompt appears: “More information required”. Click Next.
- Choose an authentication method:
- Microsoft Authenticator App (Recommended)
- Phone call or SMS
- Security key or biometrics
- Follow the on-screen instructions to complete setup.
After setup, users will be required to authenticate with MFA when accessing SharePoint Online.
4. How to Exclude Certain Users from MFA (Optional)
Some users (e.g., service accounts, legacy applications) may need to bypass MFA. To exclude them:
- Go to Conditional Access → Open your MFA policy.
- Under Assignments → Exclude, select specific users or roles.
- Save the policy.
Warning: Only exclude users if absolutely necessary to maintain security.
5. Best Practices for Using MFA in SharePoint Online
✔ Use Microsoft Authenticator instead of SMS for stronger security.
✔ Enable MFA for all users, especially admins.
✔ Monitor sign-in logs in Microsoft Entra Admin Center for suspicious activity.
✔ Combine MFA with Conditional Access for advanced security controls.
✔ Train employees on recognizing phishing attempts.
Conclusion
Enabling Multi-Factor Authentication (MFA) for SharePoint Online is essential for enhancing security, preventing unauthorized access, and ensuring compliance. By configuring Conditional Access or Security Defaults, organizations can enforce MFA policies while maintaining a secure and user-friendly environment.