Features and licenses for Microsoft Entra multifactor authentication

To protect user accounts in your organization, multifactor authentication should be used. This feature is especially important for accounts that have privileged access to resources. Basic multifactor authentication features are available to Microsoft 365 and Microsoft Entra ID users and administrators for no extra cost. If you want to upgrade the features for your admins or extend multifactor authentication to the rest of your users with more authentication methods and greater control, you can enable Microsoft Entra multifactor authentication by using Conditional Access. For more information, see Common Conditional Access policy: Require MFA for all users.

Important

This article details the different ways that Microsoft Entra multifactor authentication can be licensed and used. For specific details about pricing and billing, see the Microsoft Entra pricing page.

Available versions of Microsoft Entra multifactor authentication

Microsoft Entra multifactor authentication can be used, and licensed, in a few different ways depending on your organization's needs. All tenants are entitled to basic multifactor authentication features by using security defaults. You may already be entitled to use advanced Microsoft Entra multifactor authentication depending on the license you currently have. For example, the first 50,000 monthly active users in Microsoft Entra External ID can use MFA and other Premium P1 or P2 features for free. For more information, see Azure Active Directory B2C pricing.

The following table details the different ways to get Microsoft Entra multifactor authentication and some of the features and use cases for each.

If you're a user of Capabilities and use cases
Microsoft 365 Business Premium and EMS or Microsoft 365 E3 and E5 EMS E3, Microsoft 365 E3, and Microsoft 365 Business Premium includes Microsoft Entra ID P1. EMS E5 or Microsoft 365 E5 includes Microsoft Entra ID P2. You can use the same Conditional Access features noted in the following sections to provide multifactor authentication to users.
Microsoft Entra ID P1 You can use Microsoft Entra Conditional Access to prompt users for multifactor authentication during certain scenarios or events to fit your business requirements.
Microsoft Entra ID P2 Provides the strongest security position and improved user experience.
All Microsoft 365 plans Microsoft Entra multifactor authentication can be enabled for all users using security defaults. Management of Microsoft Entra multifactor authentication is through the Microsoft 365 portal. For an improved user experience, upgrade to Microsoft Entra ID P1 or P2 and use Conditional Access. For more information, see secure Microsoft 365 resources with multifactor authentication.
Office 365 free
Microsoft Entra ID Free
You can use security defaults to prompt users for multifactor authentication as needed but you don't have granular control of enabled users or scenarios, but it does provide that additional security step.

Feature comparison based on licenses

The following table provides a list of the features that are available in the various versions of Microsoft Entra ID for multifactor authentication. Plan out your needs for securing user authentication, then determine which approach meets those requirements. For example, although Microsoft Entra ID Free provides security defaults that provide Microsoft Entra multifactor authentication where only the mobile authenticator app can be used for the authentication prompt. This approach may be a limitation if you can't ensure the mobile authentication app is installed on a user's personal device. See Microsoft Entra ID Free tier later in this topic for more details.

Feature Microsoft Entra ID Free - Security defaults (enabled for all users) Microsoft Entra ID Free - Global Administrators only Office 365 Microsoft Entra ID P1 Microsoft Entra ID P2
Protect Microsoft Entra tenant admin accounts with MFA ● (Microsoft Entra Global Administrator accounts only)
Mobile app as a second factor
Phone call as a second factor
Text message as a second factor
Admin control over verification methods
Fraud alert
MFA Reports
Custom greetings for phone calls
Custom caller ID for phone calls
Trusted IPs
Remember MFA for trusted devices
MFA for on-premises applications
Conditional Access
Risk-based Conditional Access

Compare multifactor authentication policies

Our recommended approach to enforce MFA is using Conditional Access. Review the following table to determine what capabilities are included in your licenses.

Policy Security defaults Conditional Access Per-user MFA
Management
Standard set of security rules to keep your company safe
One-click on/off
Included in Office 365 licensing (See license considerations)
Pre-configured templates in Microsoft 365 Admin Center wizard
Configuration flexibility
Functionality
Exempt users from the policy
Authenticate by phone call or text message
Authenticate by Microsoft Authenticator and Software tokens
Authenticate by FIDO2, Windows Hello for Business, and Hardware tokens
Blocks legacy authentication protocols
New employees are automatically protected
Dynamic MFA triggers based on risk events
Authentication and authorization policies
Configurable based on location and device state
Support for "report only" mode
Ability to completely block users/services

Microsoft Entra ID Free tier

All users in a Microsoft Entra ID Free tenant can use Microsoft Entra multifactor authentication by using security defaults. The mobile authentication app can be used for Microsoft Entra multifactor authentication when using Microsoft Entra ID Free security defaults.

You enable Microsoft Entra multifactor authentication in one of the following ways, depending on the type of account you use:

Next steps