What’s New With Multifactor Authentication (And Why It Matters) 

At Regroove, we talk a lot about multifactor authentication (MFA) — and for good reason. When used correctly, multifactor authentication can prevent 99.9% of attacks on your accounts. Cybersecurity, at its core, is a game of cat and mouse, and organizations of all sizes can be targets for bad actors. This virtual arms race means that protocols and recommendations are constantly evolving to stay ahead of the curve. In this article, we explain the changes Microsoft is making to MFA in the Microsoft 365 ecosystem — and how those changes could affect your business.

For more information on MFA and how it can protect your organization, check out our article What The F Is MFA? Multi-Factor Authentication Questions Answered | Regroove 

The Old Method – Per User Multifactor Authentication (MFA)

Per user MFA works exactly as the name suggests – MFA for each account is controlled individually. This method acts like a simple on/off switch: users either needed to use MFA or didn’t. On the surface, this sounds like a perfect way to implement multifactor authentication – it gives those responsible for cybersecurity a quick and easy way to enforce MFA for specific users. 

Unfortunately, many organizations don’t have the time or expertise to manage MFA user by user — especially larger ones. This approach lacks flexibility, often leading to compliance issues. Without a dedicated IT team, many organizations struggle to keep track of who’s protected. Admins often forget to manage MFA for new or existing users, leaving accounts vulnerable.

The New Method – Conditional Access Policies (CAP)

Microsoft’s Conditional Access Policies (CAP) provide a smarter way to manage MFA. These rules control how users access resources within a Microsoft 365 tenant. Admins can create policies that apply to individuals, groups, or even the entire organization. Conditional Access Policies offer broad flexibility — from strict rules like “only users at the office IP address can access SharePoint,” to broad ones like “all users must use MFA and re-authenticate every 90 days.”

When implemented well, CAPs scale easily and adapt to an organization’s needs. (Please note: CAP is not included in all licenses; additional add-on licensing may be required.)

Migrating From Per User Multifactor Authentication (MFA) to Conditional Access Policies (CAP)

Here’s why this matters to you: Microsoft will be retiring per user MFA on September 30, 2025. Starting October 1, 2025, organizations that haven’t moved to Conditional Access Policies may lose MFA protection altogether.

If you already have the right licensing, Microsoft might apply default MFA policies for your organization. But these default rules tend to be generic and they often don’t fit every organization and can disrupt daily operations. To prevent these potential disruptions and ensure your tenancy is well protected, we recommend working with an expert like Regroove to help assess your environment and complete the migration prior to the September 30 deadline.  

Security Defaults 

Microsoft introduced Security Defaults to help smaller organizations transition away from per user MFA. These defaults offer a free and simplified way to enforce multifactor authentication across your tenant. It will run a registration campaign, asking all users within the organization to register with MFA. It should then enforce MFA for accounts which Microsoft deem are important – namely, those with administrative privileges. 

However, this system has two disadvantages (at the time of writing): 

  1. User accounts with administrative privileges must re-authenticate with MFA each time they sign in, which can be cumbersome for users.
  1. User accounts with no administrative privileges DO NOT receive MFA prompts in most cases, even though they have registered for MFA. This gives users a false sense of security and leaves their accounts vulnerable to bad actors. 

Note: When you create even one Conditional Access Policy, even if Microsoft created it, Security Defaults turn off automatically. You can’t use both systems at the same time.

Balancing security with productivity is tricky. Too many policies slow down your team, but too few can expose your business to risk.

We help organizations design effective MFA strategies that secure their environment without adding friction. Our experts will work with you to build a clear, customized plan for deploying MFA across your team. Fill out the form below and let’s talk about your MFA plan.