Admin accounts in Microsoft 365 have the highest level of access and are the primary target for phishing and credential-theft attacks. To protect these privileged accounts, Microsoft strongly recommends enabling Two-Factor Authentication (2FA), also known as Multi-Factor Authentication (MFA).
This article explains, step by step, how to add and enforce 2FA for Admin users in Microsoft 365 Business Basic using the modern and secure method via Conditional Access.
2FA adds an extra layer of security beyond just a password. After entering the password, the admin must verify their identity using:
A mobile OTP (SMS or call), or
Approval from the Microsoft Authenticator app
Even if a password is compromised, attackers cannot access the account without the second factor.
Prevents unauthorized access
Protects against phishing attacks
Required for Microsoft security compliance
Reduces risk of tenant takeover
Recommended by Microsoft Security Baseline
Before starting, ensure:
You are signed in as a Global Administrator
Microsoft 365 Business Basic license is active
Admin user has access to a mobile phone
Internet access to Microsoft 365 Admin Center
Open browser and go to
https://admin.microsoft.com
Sign in using your Admin credentials
In the left menu, click Show all
Select Identity
You will be redirected to Microsoft Entra Admin Center
Microsoft Entra is the new name for Azure Active Directory.
Go to Users β All users
Select the Admin account
Confirm the role is:
Global Administrator / Security Administrator
Open Authentication methods
Click + Add authentication method
Select Phone
Choose Authentication phone
Enter:
Country code (example: +91)
Mobile number
Click Save
This enables OTP via SMS or voice call.
Under Authentication methods
Click + Add authentication method
Select Microsoft Authenticator
On next sign-in:
Install Microsoft Authenticator app
Scan QR code
Approve login notifications
? Authenticator App is more secure than SMS and strongly recommended.
Instead of legacy per-user MFA, use Conditional Access.
In Microsoft Entra β Go to Protection β Conditional Access
Click Create new policy
Policy Name: Require MFA for Admin Accounts
Users:
Include β Directory roles
Select β Global Administrator, Security Administrator
Cloud Apps: All cloud apps
Grant Controls:
β Require multi-factor authentication
Enable Policy: ON
Click Create
Sign out from admin account
Sign in again
You will be prompted for:
OTP on mobile OR
Authenticator app approval
Before enforcing MFA on all admins:
Create at least two Global Admin accounts
Register backup phone numbers
Ensure at least one admin is fully configured with MFA
This prevents accidental admin lockout.
Conditional Access policy not enabled
Admin role not selected correctly
Check country code
Use Authenticator app instead
Use secondary Global Admin
Contact Microsoft Support if no backup admin exists
Always enable MFA for admins
Prefer Authenticator app over SMS
Avoid legacy per-user MFA
Review admin sign-in logs regularly
Use Conditional Access policies
Enabling 2FA for Admin accounts in Microsoft 365 Business Basic is critical for tenant security. By combining Authentication Methods and Conditional Access, you can ensure strong protection against unauthorized access, phishing, and account compromise.
#Microsoft365 #AdminSecurity #MFA #2FA #MicrosoftEntra #AzureAD #ConditionalAccess #MicrosoftAuthenticator #AdminAccount #CyberSecurity #CloudSecurity #ITAdmin #BusinessBasic #MicrosoftSecurity #TenantSecurity #IdentityProtection #AdminLogin #MFASetup #AdminProtection #ZeroTrust #PhishingProtection #CloudAdmin #SecureLogin #Microsoft365Admin #IdentityManagement #AccessControl #ITSecurity #AdminMFA #MicrosoftCloud #SecurityBestPractices #AdminAccess #OTP #AuthenticatorApp #AdminPolicy #SecurityCompliance #AdminSafety #MicrosoftTenant #AdminHardening #SecureAdmin #IdentitySecurity
