Office Protect will enable Security Defaults for your organization. Enabling this setting will:

  • Block any kind of legacy authentication to Microsoft 365. For example, any email client that uses legacy authentication mail protocols such as MAP, SMTP, or POP3 will not be able to connect anymore.
  • Prompt every user to register for MFA to connect
  • Enforce MFA admins trying to login to the admin portals 

You can find the setting in the Azure AD Portal, in the Azure Active Directory/Properties/Manage Security Defaults section.

What if I want a subset of users to be registered for MFA?

It is still possible with a Microsoft 365 Business Premium (or above), or a standalone Azure AD P1 plan to create conditional access policies for a subset of users. However, it is still possible to use per-User MFA. Although, this approach has some drawbacks, see What happened to "Enable Multi-Factor Authentication?"

What happened to "Enable Multi-Factor Authentication?"

Office Protect no longer offers to activate per-user MFA as this method is about to be deprecated by Microsoft and is no longer the best way to enable multi-factor authentication for your users. If you still want to enable per-User MFA for your organization, you can still do so directly in the Microsoft 365 portal

Microsoft Documentation about Security Defaults:

Microsoft Documentation about Conditional Access Policies:

Microsoft Documentation about Per-User MFA: