Microsoft 365 has started enabling security defaults and eventually require users to enable 2FA/MFA. Though for some tenants this may not happen if it was specifically disabled by an admin. Since 2FA/MFA is generally best practice now it should be enabled. The way it's enabled is important though depending on your security needs. We recommend enforcing it via the Per-User MFA interface. If you don't do this then when someone logs in, Microsoft determines if the login is a risk and decide to prompt for an MFA code (or not); I've logged into on a totally new computer and a totally different ISP without being prompted for MFA when it was enabled; enforcing it ensures it's always asked for.

1. Login to https://www.office.com with an admin account
2. Open the Admin page
3. Open the Show all menu
4. Open Identity (or whatever they want to call it this week)
5. Click on Users then All users
6. Maximize the page so you can see the Per-User MFA at the top right of the user list
7. Even for those that have MFA enabled, it may say “Disabled” in the status. It doesn't matter, here we want to enable them then enforce them. Start with 1 of your 2 admin accounts, verify it works (meaning log out then back in with your new MFA after enabling it) then go on to the next admin account. Then do the user accounts, but not the shared mailboxes or other non-mailbox accounts.

When you enforce MFA, it will log the user out of all of their applications. So Outlook on their computer and E-mail on their phone, their Office subscription, etc will all need to be logged back in. When they log in to the first device, after entering their password they'll be greeted with More information required prompt.

1. Click on Next
2. It will prompt you to use Microsoft Authenticator. We don't want this, we'll use FreeOTP from Redhat (Android: https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en_US&gl=US or iOS https://apps.apple.com/us/app/freeotp-authenticator/id872559395) or KeepassXC on a computer https://keepassxc.org.
3. After installing FreeOTP on the phone or KeepassXC on the computer (and creating a Keepass file) click on I want to use a different authenticator app
4. Click on Next
5. Now you should see a QR code. Scan this with FreeOTP on the client's phone or if using KeepassXC click on Can't scan image? and copy the Secret key
6. If using KeepassXC, create a new entry, right click on the entry, go to TOTP then Set up TOTP…
7. Past the Secret Key into the available field and leave the settings at Default (RFC 6238) and click on OK.
8. Now double tap on the entry in FreeOTP or click on the Clock symbol in KeepassXC to get the TOTP code
9. Back at the Microsoft 365 login page click on Next
10. Enter the 6 digit TOTP code and press Next
11. If it's a non-admin account it should be done, otherwise enter the additional info required of admin accounts.
12. Now you can login to the rest of the client's devices with their password and TOTP code.

To reset someone's MFA, go back to Per-User MFA, select their account and click on Manage user settings. Check all 3 boxes and click on save. This should log them out of all of their devices and prompt them to re-setup MFA.

To customize things go to service settings at the top of the Per-User MFA page. Here you can set the options for how long a user can have devices that use MFA remembered (meaning they won't be prompted for MFA again on this device), how they can verify their accounts and if you want to allow users to create app passwords or not. For one client, the app password option wasn't available on a Microsoft 365 account, even though it was enabled here. Turning it off then on again in the web interface caused the option to then show up in the clients account… so even turning it off and on here may be needed…