All articles
CybersecurityMFAMicrosoft 365

What's New With Multifactor Authentication and Why It Matters

Regroove IT Consulting5 min read600 words

Multifactor authentication has been the most important security control available to Microsoft 365 organizations for years. How it gets configured and managed is changing, and the change matters for any organization that has not yet updated its approach.

Per-User MFA vs. Conditional Access Policies

Historically, many organizations enabled MFA through per-user settings in the Microsoft 365 admin center. This method assigns MFA directly to individual user accounts. It works, but it lacks flexibility: the same rules apply to every user regardless of their location, device, or risk level.

Conditional Access Policies, available with Microsoft Entra ID (formerly Azure Active Directory) P1 licensing and above, provide far more control. Policies can require MFA based on factors like whether the user is signing in from outside the corporate network, from an unmanaged device, or from a high-risk location. They can also allow trusted devices to skip MFA for sign-ins that fit a known safe pattern, reducing friction for employees without reducing security.

The September 2025 Retirement Deadline

Microsoft announced the retirement of per-user MFA management for Microsoft 365. Organizations still using per-user MFA settings were directed to migrate to Conditional Access Policies before the retirement date to maintain consistent MFA enforcement.

For organizations that had not yet made this transition, the deadline created urgency. The retirement does not mean MFA stops working for existing users immediately, but it means the management method changes and organizations without Conditional Access Policies in place need to act.

Security Defaults as a Baseline

For organizations on entry-level Microsoft 365 plans that do not include Entra ID P1, Microsoft's Security Defaults provide a simpler alternative. Security Defaults enable MFA for all users, block legacy authentication protocols, and require MFA for administrator accounts. They are an on/off toggle rather than a configurable policy framework.

Security Defaults do not offer the flexibility of Conditional Access Policies, but they provide strong baseline protection and are significantly better than no MFA enforcement at all.

What This Means for Your Organization

If your organization is currently using per-user MFA, now is the time to review your licensing and transition to Conditional Access Policies. If you are on an entry-level plan without P1 licensing, ensure Security Defaults are enabled. If neither is in place, MFA enforcement should be your immediate security priority.

The organizations most at risk are those that enabled MFA some time ago and have not reviewed their configuration since. The landscape has changed, and an approach that was adequate two years ago may not be aligned with Microsoft's current direction or your organization's current risk profile.

Regroove IT Consulting

Microsoft Solutions Partner specializing in Managed IT Services and Modern Work, covering Microsoft 365, Teams, SharePoint, Power Platform, and Azure. Helping organizations everywhere get lasting value from their Microsoft investment since 1993.

About Regroove →

Need help with your Microsoft environment?

We work with organizations everywhere. Tell us where you are and what you're trying to solve.

Talk to Regroove