Microsoft is deprecating Per-User MFA in September 2025. MSPs have the choice between upgrading their Microsoft tenants’ MFA security to Security Defaults or Conditional Access Policies. In this post, we’ll cover the strengths of each and how to get started with your MFA hardening/migration project.

Here’s a quick rundown of your current MFA options for M365:

Traditional Per-User Multifactor Authentication

Traditional Per-User Multifactor Authentication (MFA) is likely the method of MFA most of your clients are currently using. Per-User MFA involves enabling MFA for individual user accounts separately (Wooo Microsoft Portals). Although it enhances security, this approach has notable drawbacks. It isn’t universally applied and fails to consider different user roles or access contexts, leading to inconsistencies in security enforcement. It’s without a doubt better than no MFA requirements, but it is being deprecated in 2025 for a reason.

Security Defaults

Security Defaults bundle many settings together and provide decent overall security. They will enforce MFA on all accounts after a 14-day period, but they are non-customizable. When you apply Security Defaults to a tenant, every account inherits all the default options, leaving no way to pick and choose settings. Security Defaults are notorious for locking out someone, somewhere (think legacy systems). If you’ve got a million tenants that need a coverall, Security Defaults will do the trick, but it’s best to strive for Conditional Access Policies.

Conditional Access Policies

Conditional Access Policies provide a more refined, context-sensitive authentication method. It assesses various factors, including user location, device status, network conditions, and access time before granting access. This method adjusts authentication requirements based on the assessed risk, improving both security and user experience. Unlike the traditional method, Conditional Access is applied to groups, ensuring all users meet the conditions, unless specifically exempted. This minimizes security gaps and streamlines compliance and reporting. For example, you can block sign-ins from every country except your client’s home country, which alone will prevent a lot of security breaches from happening. While Security Defaults provide broad security coverage, they lack the flexibility and precision of Conditional Access Policies, making the latter a superior choice for tailored security needs.

Starting Your MFA Hardening/Migration Project

If you’ve ever used traditional methods, you know how time-consuming it can be to configure MFA for a single tenant, let alone for all of your clients. While enabling Entra ID Per User isn’t particularly difficult for a technician, the real challenge is identifying which users are still using legacy MFA. Without that information, where do you even start?

M365 doesn’t have any built-in features to provide a comprehensive report on account protection. While it’s possible to manually check each Microsoft portal and track everything in a spreadsheet, there are certainly better ways for your technicians to spend their time. Getting a targeted list before starting is crucial – and this is where Augmentt can save you loads of time!

Knowing Who to Migrate

Assuming your tenants are already on-boarded to Augmentt, navigate to Secure on the left side menu and run the MFA report. The report will give you a detailed view of who and how many users are or aren’t protected by Conditional Access Policies, Per-User MFA, and Security Defaults. This will give you the exact list of tenants and end-users across all your clients that need to be migrated to either a Conditional Access Policy or a Security Default.

Beat the deadline

Use your MFA report as a list of tenants that need to be migrated before September 2025. If you’re not currently an Augmentt customer, you can still run our free threat report, which will tell you how many accounts are NOT protected by MFA. The free report will give a good sense of where your M365 security stands today and how much or little work you have ahead of you.