MFA

Multi-factor authentication (MFA) requires users to prove their identity with at least two factors: something they know (password), something they have (a phone, token, or FIDO2 key), or something they are (biometric). In Microsoft 365, MFA is enforced through Microsoft Entra ID, with the Microsoft Authenticator app as the recommended verifier. Supported methods include push notifications, one-time passcodes, FIDO2 security keys, Windows Hello for Business, and (now discouraged) SMS or voice calls. MFA blocks the vast majority of credential-based attacks and is the single most important security control to enable for every user, including admins.