Azure AD Security Defaults Mandate Multi-Factor

• New AAD security defaults require comprehensive use of Azure MFA and require work by users and administrators to ensure account access.
• There are no licenses required, and no additional fees, but Azure MFA will offer limited capabilities.

Beginning in Oct. 2019, Microsoft began rolling out a new security model for Azure Active Directory (AAD) accounts in new tenancies, mandating the use of Azure Multi-Factor Authentication (MFA) for all user and administrator authentications and blocking legacy authentication attempts. Microsoft recommends that administrators enable these defaults for existing tenancies as well. 

MFA and Other Requirements

Security defaults include the following:

Azure MFA required for users: Once a user signs in to their AAD tenancy for the first time, they have 14 days to configure and begin using Azure MFA for all authentications. They will be unable to sign in after 14 days if Azure MFA has not been configured. Users without AAD Premium P1 subscriptions will have to install and use the Microsoft Authenticator mobile software to receive sign-in codes. AAD Premium P1 users can continue to also use text messages, phone calls, and other Azure MFA features.