Active Directory & Office 365 Reporting Tool

Office 365 MFA Enabled vs Enforced — What’s the Difference? Although passwords continue to be the most implemented method of user identification, single-factor authentication could be very much prone to cyber attacks. Microsoft’s multi factor authentication (MFA) secures your Azure Directory and Office 365 from phishing or cyber intrusion attempts. But its adoption rate remains unsteady. As per a survey, 78% of Microsoft 365 Admins do not activate MFA.

Image Source: ramsac

In this blog post, we explore MFA, why it is required, two types of Office 365 MFA — Enabled and Enforced, and the key differences between them, so you could decide which is the best choice for your business.

Shall we start with Office 365 MFA Enabled vs Enforced — What’s the Difference?

What Is MFA?

Primarily speaking, it is a sign in process (or security system) where the user is prompted for additional forms of identification. In turn, this creates an additional layer of defence over the passwords, to prevent an unauthorized person from accessing your data, location, etc.

The password protection method is therefore combined with other factors such as:

  • Knowledge — Passwords that can be named, a combination of special characters and letters, etc.


  • Possession — Physical things like a security key, an authorized mobile app, etc.


  • Inherence — Biological scans like retina scans, fingerprint scans, voice recognition, facial recognition, etc.


  • Location — Mostly determined by smartphone location, and GPS.


  • Time — Acts as a logical barrier where the employee credentials are matched against the time at their location to confirm the user’s authenticity.

Why Is MFA Required?

Password Theft

It is the most common method of identity theft.  Well, attackers can steal passwords with three methods — keylogging, phishing, and pharming. MFA ensures that in case the password is stolen, there are still extra layers of defense protecting your critical data.

Enhances Security

By setting multiple credential requirements for conditional data access, hackers are discouraged from using stolen passwords, devices, etc. to enter your system. It is ideal for protecting on prem and cloud based data.

Customizable Solution

It can be customized as per an organization’s requirements. It can implement physical factors such as retina or fingerprint scans if it requires stringent data security.


MFA adapts to any business type and streamlines the sign-in process by eliminating the need for multiple passwords. It thus enhances the user’s experience and reduces the need for support calls for password assistance.

Compliance with Regulations

It helps ensure that you are complying with the identity and access management regulations.

What Is Office 365 MFA Enabled?

In the MFA Enabled Authentication process, an Office 365 admin enables your account to access the page but you’re prompted for registration completion, every time you sign in. This can be timed, such as push notifications for a few hours to a few days.

Once you have completed the registration process and complied with the policies defined by the administrator, the prompts no longer pop up, and you can either access the complete page or continue enjoying access to the resources as before.

Features of Office 365 MFA Enabled

  • Helps build organizational trust. If a new team member has been given access to a company’s data on the cloud, adherence to the authentication policies helps build a credible work environment at the workplace.


  • If the registration process is not completed within the timeframe set by the administrator, the access automatically gets revoked.


  • Helps companies avoid data theft.


  • In Office 365, administrator(s) can enable MFA via Azure Active Directory Admin Center.


  • Beneficial for data sensitive sectors like banking, large enterprises, etc.

Pros of Office 365 MFA Enabled

  • Reduces the probability of identity theft and stealing of an organization’s critical data. With this process, the stolen passwords are nearly of no use to cyber attackers and phishers.


  • Provides a combination of more than two authenticators for gaining access to the user account. It helps secure Office 365 accounts and emails, which protects them from becoming a target of cyber attackers.

Cons of Office 365 MFA Enabled

Although the authentication requirement helps prevent your precious data from leaking, enabling MFA can lead to friction between the consumer and the service provider. Repeated popups for further authentication stages may frustrate the users as usually they desire to log in fast and begin (or resume) their work quickly.

Improve your Active Directory Security & Azure AD

Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.

What Is Office 365 MFA Enforced?

After you complete the registration process in Azure AD MFA, your user account is automatically switched from Enabled to Enforced.

When the MFA is set to Security Defaults in Microsoft (Office) 365 Azure AD, it becomes a high level tenant setting. Once this setting is turned on, MFA gets activated across all the user accounts. It, by default, requires all your members to enrol as per the enforced policies.

Features Of Office 365 MFA Enforced

  • Once enforced, the authentication method gets applied to all the connected accounts.


  • Gets automatically enforced upon the external management tools that require service account access.


  • Enhances the security of Microsoft 365 tenants.


  • Ideal for remote first organizations, growth stage startups, the banking sector, etc.

Pros Of Office 365 MFA Enforced

  • Enforcement of strict authentication methods helps increase the security of Office 365 tenants.
  • Such stringent account access methods improve the user experience by heightening the trust factor.


  • In addition to providing strong overall security, it also protects the accounts from common cyber attacks like brute force attacks.

Cons Of Office 365 MFA Enforced

The poor implementation of such multi layered authentication methods leads to bias and inaccuracy, at times. If the methods imposed include biometrics, the inherent demographic biases leads to false negatives. Most common biometric methods usually depend on partial data for identity verification. This further results in wrongful rejects and accepts, leading to actual users not getting access and attackers getting account access.

Additionally, this process causes issues regarding the authentication of some legacy apps which might affect a third party service.

Prerequisites Before Setting Up Or Enforcing MFA

Prepare The Support Team

When something like MFA is enforced upon the users, they might find the entire process new to adapt to, and might have queries regarding MFA token loss, or post setup issues. As a result, the IT support team would be required to be ready with enrollment and recovery support for the account users.

This can be best done with test practices for the support team with mock issue requests and queries.

Understanding the Approach

To understand the appropriateness of the Security Default, it is important that:

  • Once the Security Defaults are enabled, it applies to all the accounts including break glass accounts, unlicensed users, and service accounts.


  • The users who have not completed their registration process will be prompted every time they log in to their accounts. After the set time frame, they will be unable to access the account if the registration remains incomplete.


  • This enforcement requires an authenticator app for sending push notifications on the registered device that will act as the second factor authentication.

Methods Of Enabling Office 365 MFA

Changing the User States

It involves the traditional two factor authentication (2FA) every time users sign in to their account. This method is easy on an individual basis but can be time consuming, erroneous, and tough to manage when performed on an organizational scale.

With Security Defaults

Microsoft released this method in 2019 with pre configured security. Its purpose has been to prevent organizations from all sorts of cyber security threats. This setting enables MFA for all service and user accounts. If a tenant was created after the release, this could be the default setting in the accounts. In other cases, it needs to be enabled in the Azure Portal.

With the Conditional Access Policy

Being a paid feature of the Azure Active Directory (Premium P1 or P2 Edition), Conditional Access is a flexible method of authentication. These access policies are applied to groups as well as individual accounts. This method gives you the ability to adjust the restrictions as per the requirement of the group or account (low risk or high risk accounts).

Office 365 MFA Enabled vs Enforced — What's the Difference?

Image Source: Cayosoft

Account Accessibility

Office 365 MFA Enabled

If your registration is incomplete, you can still access the account but will be prompted to complete the process within the set time frame. If it remains incomplete, the access might either remain with more prompts or may get revoked.

Office 365 MFA Enforced

The Security Default settings enforce the users to complete the registration to gain any sort of access to the accounts. This is a rigid method, and requires adherence to strict authentication policies laid down by the administrator for user account accessibility.

Trust Factor

Office 365 MFA Enabled

When MFA is enabled, it gives users time to contemplate and understand the authentication process, before they go ahead with it. A fair understanding of it helps build trust between the user and the service provider.

Office 365 MFA Enforced

This process leaves no room for the user to understand the process before opting in. It follows strict authentication policies which have to be followed for account accessibility. Even though it gives an extra assurance of account protection, the process can be frustrating for the users.

Data Theft Possibilities

Office 365 MFA Enabled

It requires registration completion to gain complete account access. But incompletion doesn’t always take partial access away from the user. It simply continues to prompt if a time frame hasn’t been set by the administrator. In both cases, the user (in case they’re ingenuine) can lead to data theft.

Office 365 MFA Enforced

It includes physical factors in the authentication process such as a biometrics scan. As secure as it might seem, biometrics are sometimes spoofed. This leads to an authentic user to be denied accessibility and an attacker gaining it, putting the entire organizational data at risk.

Ways To Enable

Office 365 MFA Enabled

MFA in Microsoft 365 is ‘enabled’ using the Azure Active Directory Admin Center. You need to select Properties and manage the Security Default enabling or disabling it from there.

Office 365 MFA Enforced

Once the policy for enforced MFA sign in has been created, you need to create a customer managed policy, which prohibits every action except a few IAM (Identity Access Management) actions. This is followed by attaching the policies to the test user group. Finally, user access is tested.


Office 365 MFA Enabled

Suitable for individual user accounts or startups and small companies.

Office 365 MFA Enforced

Appropriate for remote first startups, large organizations and enterprises where the dataset is huge or in banking sectors, where sensitive user data and possessions are concerned.


Office 365 MFA Enabled

It has a time bound prompt (Session Security Levels) that pops up every time you sign in without a complete registration. Once the process is completed, it lets you access the system. This ensures account security to a great extent but does question the partial account accessibility during the registration timeframe.

Office 365 MFA Enforced

It comes with additional layers of defence for user accounts with location factor, physical factor, etc. as added forms of the authentication process. If an attacker successfully infiltrates the passwords, it leaves the attacker with further layers to break through, thus ensuring higher data security.

Thank you for reading Office 365 MFA Enabled vs Enforced — What’s the Difference? We shall conclude this article blog. 

Office 365 MFA Enabled vs Enforced — What's the Difference? (Conclusion)

All in all, the data is everywhere and so is the need for its protection whether your organization is a start-up or an enterprise.

Although Enabled MFA has its share of advantages, primarily user adaptability, yet, it ultimately has to turn into Enforced MFA, which combines various strict methods of authentication. This promises data security as well as cost efficiency in the long run, thus proving to be more beneficial for all sorts of user accounts.


Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Anmol Nigam

Anmol Nigam

I write bespoke content for SaaS entrepreneurs and brands to help them scale organically.

Leave a comment

Your email address will not be published. Required fields are marked *