- Pick security defaults or Conditional Access for MFA, never both.
- Enable self-service password reset and run a registration campaign before hard enforcement.
- Disable expiration in the right place: the cloud setting versus on-prem Active Directory.
- Verify there are no users or service accounts quietly skipping MFA.
Two of the highest-value security changes a small business can make in Microsoft 365 are turning on multi-factor authentication (MFA, a second proof of identity beyond the password) for everyone, and turning off forced periodic password changes. Those two pull in opposite directions from old habits, but current guidance from Microsoft and security agencies is clear: MFA stops the vast majority of account takeovers, and forcing people to change passwords every 90 days just pushes them toward weaker, predictable passwords. This guide is for the admin who wants both done correctly, with no quiet exceptions hiding in a corner. By the end, MFA will be required for all users, self-service password reset will be live, password expiration will be off in the right place, and you'll have verified enforcement.
Before you start
- Global Administrator access, with your own admin account already protected by MFA.
- A break-glass emergency access account that you'll exclude from enforcement, so a misfire can't lock everyone out.
- A decision on the enforcement tool: security defaults (one switch, good for simple tenants) or Conditional Access (more control, needs Microsoft Entra ID P1, included in Business Premium). You can't run both at once.
- A short heads-up to your users that they'll be asked to register a second factor.
Step 1: Choose security defaults or Conditional Access
These are the two ways to require MFA, and they're mutually exclusive.
- Security defaults: a single on/off in Microsoft Entra ID that requires MFA for everyone and blocks legacy authentication. Best for very small or simple tenants with no need for exceptions.
- Conditional Access: a set of policies you author, giving you control over who, what, and under which conditions. Best if you have Business Premium and want, for example, to exclude the break-glass account or treat trusted locations differently.
Pick one. If you turn on Conditional Access policies, you must turn security defaults off, and vice versa. For most Business Premium clients we use Conditional Access because of the break-glass exclusion and the fine control.
Step 2: Turn on MFA enforcement
If you chose security defaults
- Go to the Microsoft Entra admin center (entra.microsoft.com).
- Navigate to Identity, then Overview, then Properties.
- Select Manage security defaults.
- Set Security defaults to Enabled, and save.
Everyone now gets prompted to register MFA at next sign-in.
If you chose Conditional Access
- In the Microsoft Entra admin center, go to Protection, then Conditional Access.
- Create a new policy named something like "Require MFA for all users."
- Under Users, include All users, and under Exclude, add your break-glass account.
- Under Target resources, select All cloud apps.
- Under Grant, select Require multifactor authentication.
- Set Enable policy to Report-only first, save, and watch the results for a day or two before flipping to On.
Always start a new Conditional Access policy in report-only mode. Report-only logs what the policy would have done without actually blocking anyone, so you can catch a mistake (like accidentally including a service account that can't do MFA) before it locks people out. Flip to On only after the logs look clean.
Step 3: Enable self-service password reset (SSPR)
SSPR lets people reset their own password after proving identity, which both reduces help-desk load and pairs naturally with retiring forced resets.
- In the Microsoft Entra admin center, go to Protection, then Password reset.
- Under Properties, set Self-service password reset enabled to All (or to a pilot group first).
- Under Authentication methods, require at least two methods, for example the Microsoft Authenticator app and a phone or email.
- Save.
Step 4: Run a registration campaign
So people set up their second factor before they're forced to, nudge them with a registration campaign.
- In the Microsoft Entra admin center, go to Protection, then Authentication methods, then Registration campaign.
- Set the state to Enabled and target all users (or a pilot group).
- This prompts users to set up the Microsoft Authenticator app during sign-in, ahead of any hard enforcement.
Run the registration campaign for a week before you flip MFA enforcement from report-only to On. Letting people register on their own schedule turns a potential flood of confused help-desk calls into a quiet, gradual rollout. By the time enforcement goes live, most of your team is already set up.
Step 5: Retire password expiration in the right place
This is the step people get wrong, because there are two different places passwords can expire.
For cloud-only accounts
Set the Microsoft 365 password expiration policy so passwords never expire.
- In the Microsoft 365 admin center (admin.microsoft.com), go to Settings, then Org settings, then Security & privacy.
- Select Password expiration policy.
- Check Set passwords to never expire, and save.
This is the supported, point-and-click way for cloud accounts. (The older MSOnline PowerShell command for this is being retired; the modern equivalent if you script it is the Microsoft Graph PowerShell cmdlet that updates the domain's password validity period.)
For accounts synced from on-prem Active Directory
If your accounts come from an on-premises Active Directory through directory sync, the Microsoft 365 setting above does not control them. The expiration is set by your on-prem Group Policy or fine-grained password policy in Active Directory. Change it there, not in the cloud, or your synced users will keep expiring no matter what the cloud setting says.
Step 6: Verify enforcement with no quiet exceptions
The whole point is that there are no gaps. Check for them.
- Sign in as an ordinary test user (not an admin, not the break-glass account) and confirm you're prompted for MFA.
- In the Microsoft Entra admin center, open Sign-in logs and filter for sign-ins where MFA was not applied. Investigate anyone showing up there.
- Check for legacy authentication, the old protocols that bypass MFA. Block them with a Conditional Access policy if you haven't already, since security defaults block them automatically.
- Run the authentication methods activity report to confirm registration coverage. Anyone not registered is a gap.
- Confirm only the break-glass account is excluded from the MFA policy, and that nothing else snuck onto the exclusion list.
If you find a user or service account quietly skipping MFA, that's your weak link. Either bring it into MFA or, for a service account that genuinely can't, replace it with a more modern credential and document why.
What to do next
With MFA on for everyone, SSPR live, and password expiration retired in the correct place, you've closed the two biggest everyday gaps in a Microsoft 365 tenant. The natural next step is to expand your Conditional Access set: block legacy authentication explicitly, require compliant devices for sensitive apps, and add named locations. Our Conditional Access starter policies guide covers exactly that. If you'd like us to roll this out and verify there are no hidden exceptions, that's a common engagement for us, so reach out and we'll handle it with you.