Skip to content

Enable MFA without assigning Global Admin Privileges to support staff

Enable MFA without assigning Global Admin Privileges to support staff

The purpose of this post is to provide an alternative method of enabling MFA on user accounts without assigning Global Admin Permissions to all support staff.

Please take note that this solution is based on Azure AD Conditional Access.

This option can be used to reduce the administrative portion when it comes to protecting comprised accounts.

To get started Login to the Office 365 Admin Portal :

The navigate to Azure Active Directory

  • Azure Active Directory then select Conditional access.

  • From the Conditional access menu, select “New Policy”.

From the New policy menu, do the following.

  • Policy Name “O365_Enable_MFA”
  • Assignments select include and click “select users and groups”, tick Users and groups and select on-prem security group. “O365_Enable_MFA”

  • Click “select” at the bottom after selecting the on-prem security group

On the following option, you need to provide the cloud application to which you would like to apply MFA to. In this case it will be Office 365 Exchange Online.

  • Click Cloud Apps then select apps.
  • Select Office 365 Exchange Online and click select.

  • Click Done

To configure the MFA for the selected cloud apps, do the following.

  • Click on Access control
  • Then Click Grant and select “Require multi-factor authentication”

For multiple controls

  • Select “Require all the selected controls
  • Click on select

Lastly click on Enable Policy and set it to “Enable” and then click “save

As you will notice from the Main policy screen, the newly created “O365_Enable_MFA” policy is now showing as “Enabled

To test that MFA is working, login with a user that is part of the “O365_Enable_MFA” on-prem security group.

After login, the user will be presented with the following screen to setup MFA on their side.

The user will then be presented with following screen to provide a valid cellphone number, you can select Call or SMS and then click Next.

An OTP will be sent to the mobile number provided, Enter the OTP code and click verify to complete the MFA enablement.

Once the setup for MFA has been completed, the user will be presented with another screen to enter an OTP which was sent again after the registration process.

After providing the MFA OTP, the user will be able to access to Office 365 portal as below.


Sharing is caring!

Published inExchange OnlineOffice 365PowerShell


  1. Sander Sander

    Thanks for the article. Is it also possible to set MFA to ‘enforced’ through a policy?

Leave a Reply

Your email address will not be published.