We are currently preparing for Microsoft tophase out its legacy Multi-Factor Authentication (MFA) feature. Office Protect has been using this method to manage MFA. This leads us to look for alternatives for your tenants. We deployed a new setting to that intent: “Enable Security Defaults”.

Security Defaults enable MFA for all your users and disable legacy authentication for your tenant. There is no option to pick which user has MFA with this setting alone. To apply MFA to specific users using modern methods, you need to apply a Conditional Access Policy, which is only available with Microsoft 365 Business Premium.

If you still want the granularity of per-user MFA to enable it for your admins, it is still possible for you to set it through the Admin Portal. Keep in mind that this feature is at its end of life. Microsoft now recommends enabling MFA through Security Defaults, or through Conditional Access Policies. 



What happens to the per-User MFA already applied by Office Protect after the setting is removed?

As we deprecate the setting, we won’t be reverting the settings you already applied with Office Protect. You can validate your per-User MFA setting in the Azure AD portal.

Can I enable both Security Defaults and per-user MFA?

Yes. Microsoft 365 will apply Security Default’s MFA first. If Security Default is disabled, Microsoft 365 will apply per-user MFA if it is configured.

What happens to my settings Profiles in Office Protect?

As we deprecate the setting, we also no longer apply the settings through our Profiles. You do not need to update your profiles.