Warning: This setting will soon be deprecated by Office Protect, and eventually by Microsoft. This feature uses a legacy way of enabling MFA that can now be bypassed by hackers. We recommend that you enable Security Defaults for your tenant, or enable MFA through conditional access policies. See our article on the deprecation of per-user MFA.

This setting activates multi-factor authentication (MFA). Affected users will be asked to submit a temporary code when logging in, using their phone or an App. Activating MFA protects your accounts from breach by demanding additional verifications when logging in. Although activating it for all users is recommended, it may create disruptions in workflow. Activating it for all Global Admins is seen as a minimum. Guests users are always ignored. *This uses the free MFA provided with M365 (per-user MFA).

You can configure one of the following options when you apply Settings:

  • Remove from all users: We disable per-User MFA for all users in your organization.
  • Enable for all admins: We enable per-user MFA for admins in your organization.
  • Enable for all users: We enable per-user MFA for everyone in your organization (except guests).
  • Do not modify (Ignore): We will not monitor nor attempt to modify the user’s MFA status. We recommend using this in cases where you prefer enabling Conditional Access Policies or Security Defaults for your organization.


For the first 3 options, Office Protect will monitor the per-user MFA status for all users. If the user’s MFA status is different in Microsoft 365 than what was configured in Office Protect, we will update the user as configured in the application and generate an event.

If you use Security Defaults on your tenant, it will enable Multi-Factor Authentication by default, you can also make more elaborated Multi-Factor authentication policies through Conditional Access Policies (requires Azure AD Premium P1 license).

You can find the per-User MFA section in the Azure AD Center, in the Users/per-User MFA section.

The operation to look for in the Unified Audit Logs: Enable Strong Authentication

Per-User MFA: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

Security Defaults: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

Conditional Access: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa