Lab 08 - Enable multi-factor authentication
Login type = Microsoft 365 + E5 tenant log-in
Lab scenario
To improve security in your organization, you’ve been directed to enable multifactor authentication for Microsoft Entra ID.
Estimated time: 15 minutes
IMPORTANT - A Microsoft Entra ID Premium license is required for this exercise.
Exercise 1 - Review and enable Multi-factor Authentication in Azure
Task 1 - Review Azure Multi-Factor Authentication options
-
Browse to Microsoft Entra admin center at
https://entra.microsoft.comusing a Global administrator account.Note: You may be prompted to complete Multi-Factor Authentication (MFA) during sign-in. Follow the prompts to configure or verify your authentication method before continuing.
-
Use the search feature and search for multifactor.
-
In the search results, select Multifactor authentication.
Alternatively, in the left navigation, under Entra ID, select Multifactor authentication.
-
On the Getting started page, under Configure, select Additional cloud-based multifactor authentication settings.

-
In the new browser page, you can see the MFA options for Azure users and service settings.

This is where you would select the supported authentication methods, in the screen above, all of them are selected.
You can also enable or disable app passwords here, which allow users to create unique account passwords for apps that don’t support multi-factor authentication. This feature lets the user authenticate with their Microsoft Entra identity using a different password specific to that app.
Task 2 - Setup Conditional Access rules for MFA for Delia Dennis
Next let’s examine how to set up Conditional Access policy rules that would enforce MFA for guest users accessing specific apps on your network.
-
Switch back to the Microsoft Entra admin center, in the left navigation, under Entra ID, select Conditional Access.
-
On the menu, Select + New policy.

-
In the Name box, enter MFA_for_Delia.
-
Under Assignments, in the Users or agents (Preview) section, select 0 users or agents (Preview) selected.
-
On the Include tab, mark Select users and groups, then select the Users and groups check box.
-
In the Select users and groups pane, select Delia Dennis account and then select Select.
-
In the Target resources section, select No target resources selected.
-
In the dropdown, make sure Resources (formerly cloud apps) is selected.
-
In the Include tab, select Select resources, then in the Select specific resources select None.
-
In the Resources pane, search for Office 365, then select it.
- Reminder - in a previous lab we gave Delia Dennis an Office 365 license and logged into ensure it worked.
-
Under Network, select Not configured, then set Configure to Yes.
-
In the Include tab, select Any network or location.
Note: You can also configure network locations under Conditions > Locations. Both options open the same configuration pane.
-
Under Access controls, in the Grant section, select 0 controls selected.
-
Select the Require multifactor authentication check box to enforces MFA.
-
Ensure that Require all the selected controls is selected, then select Select.
-
Set Enable policy to On.
-
Select the Create button to create the policy.

MFA is now enabled for your selected user and application(s). The next time a guest tries to sign into that app they will be prompted to register for MFA.
Task 3 - Test Delia’s login
-
Open a new InPrivate Browsing windows.
-
Connect to Office at
https://www.office.com. -
Select the sign-in option.
-
Enter
DeliaD@<your domain address>. -
Enter the password = Enter the Global admin password of the tenant (Note : Refer the ‘Lab Resources’ tab to retrieve the admin password).
Note: At this point one of two things will happen. You should get a message that you need to set up Authenticator app and register for MFA. Follow the prompts to complete using your personal phone. NOTE - there is a chance that you might get a login failure message with several options on how to proceed. Select the Try Again option in this case.
You can see that because of the Conditional Access rule we created for Delia, MFA is required to launch Office 365 home page.
Exercise summary
In this exercise, you reviewed Microsoft Entra MFA options and created a Conditional Access policy that requires MFA for a target user. This exercise showed the methods available to protect sign-ins with multifactor authentication.
Exercise 2 - Configure MFA to be required for login
Task 1 - Configure Microsoft Entra Per-User MFA
Finally, let’s look at how to configure MFA for user accounts. This is another way to get to the multi-factor auth settings.
-
Switch back to the Microsoft Entra admin center.
-
In the left navigation menu, under Entra ID, select Users, then select All users.
-
At the top of the Users pane, select Per-user MFA.
Note: you may have to use the ellipsis (…) to get to the Per-user MFA menu item.

-
A new browser tab/window will open with a multi-factor authentication user settings dialog.
You can enable or disable MFA on a user basis by selecting a user and then using the quick steps on the right side.

-
Select Adele Vance with a check-mark.
-
Select the Enable MFA option under quick steps.
-
Read the notification popup if you get it, then select Enable.
-
Select Close.
-
Notice that Adele now has Enabled as her MFA status.
-
You can select Service settings to see the MFA setting screen, seen earlier in the lab.
-
Close the MFA setting tab.
Task 2 – Try logging in as Adele
- If you want to see another example of MFA login process, you can try to log in a Adele.
Exercise summary
In this exercise, you enabled per-user MFA for a user and tested the sign-in challenge. This exercise showed how MFA strengthens authentication and protects against credential compromise.