Strengthening Identity Security: Performing Basic Multifactor Authentication (MFA) Tasks

Introduction

Passwords alone are no longer enough to keep accounts secure. Cyber threats continue to grow, and attackers often try to steal or guess credentials to gain unauthorized access. This is where Multifactor Authentication (MFA) becomes essential. MFA adds an extra layer of security by requiring users to verify their identity with a second factor—like a phone notification, code, or trusted device—before granting access.

In this walkthrough, you’ll learn how to set up and configure basic MFA tasks in Microsoft Entra ID. The exercise includes enabling per-user MFA, reviewing service settings, and configuring account lockout policies to protect against suspicious activities.

Skilling Objectives

By completing this lab, you will learn how to:

• Enable and manage per-user MFA.
• Configure MFA service settings to suit your organization’s needs.
• Set account lockout rules to protect against repeated unauthorized attempts.

Step 1: Enable / Disable Per-user MFA Settings

1. Open the Microsoft Entra admin center at https://entra.microsoft.com.
2. Log in using your tenant credentials.
3. From the menu on the left, open the Identity submenu.
4. Select Users, then All users.

5. At the top of the page, select Per-user MFA.
   

6. Place a checkmark next to Bhogeswar Kalita.

7. Select Enable MFA from the list.
   

8. A message box will appear with an optional setup URL you can share with the user.

9. Click Enable.

10. After a few seconds, notice that Enforced now appears next to Bhogeswar’s name.

Step 2: Review the Service Settings for MFA

1. In the Entra admin center, go to the Identity submenu again.
2. Select Users, then All users.
3. Open the Per-user MFA option.

4. Select Service settings.
   

5. Review the following configurable options:

• App passwords: Allow legacy apps to work with MFA.
• Trusted IPs: Define safe IP ranges where MFA can be bypassed.
• Verification options: Choose which second-factor methods users can use (phone call, mobile app, etc.).
• Remember MFA on trusted device: Allow users on trusted devices to skip re-authentication for a set number of days.
  1. If no changes are required, select Discard to exit.

Step 3: Configure MFA Account Lockout Settings

1. In the Entra admin center, open the Protection submenu.
2. Scroll down and select Show more.
3. Choose Multifactor authentication, then select Account lockout.
4. Set the following values:

• Number of MFA denials to trigger account lockout: 3
• Minutes until account lockout counter is reset: 180
• Minutes until account is automatically unblocked: 15
  1. Select Save to apply the settings.
  2. Review additional MFA options such as Fraud alert, Block/unblock users, and Notifications for stronger security management.

Why Are We Performing MFA Tasks?

Performing MFA tasks is essential because it ensures that even if a password is stolen or guessed, attackers cannot gain access without the second factor of authentication. It provides stronger identity protection, reduces the risk of unauthorized access, and helps organizations maintain compliance with security best practices. MFA is one of the most effective ways to defend against phishing, password theft, and unauthorized logins.

Conclusion

In this exercise, you enabled per-user MFA, reviewed MFA service settings, and configured account lockout policies. By adding MFA to your organization’s identity management strategy, you provide users with stronger protection while keeping attackers at bay. This simple yet powerful layer of security greatly improves the overall resilience of your Microsoft Entra environment.