Does Microsoft 365 Business Basic Include MFA? (w/Examples) + FAQs

Yes. Microsoft 365 Business Basic includes multifactor authentication (MFA) at no extra cost, delivered through a feature called Security Defaults and through per-user MFA controls inside the Microsoft Entra admin center. Every Business Basic tenant can turn on MFA for every user without buying a higher plan, and as of October 2024 Microsoft requires MFA for anyone signing in to the Azure portal, Entra admin center, and Microsoft 365 admin center under its mandatory MFA rollout.

The problem this article answers is simple. Business owners who buy the entry-level plan often assume MFA is a premium add-on, and they leave accounts exposed. The governing rule here is Microsoft’s own identity platform policy, backed by the Federal Trade Commission’s Safeguards Rule at 16 CFR Part 314, the HHS HIPAA Security Rule at 45 CFR 164.308, and the SEC’s 2023 cybersecurity disclosure rule. When MFA is off, attackers phish a password, log in, and the tenant owner faces breach notification, regulator fines, and civil suits.

According to Microsoft’s own research in its Digital Defense Report, MFA blocks more than 99.2% of account compromise attacks, yet a large share of small-business tenants still run without it.

Here is what you will learn in the next few minutes:

• 🔐 How MFA ships inside Microsoft 365 Business Basic and how to switch it on today
• ⚖️ Which U.S. laws and rules push you toward MFA, from HIPAA to the FTC Safeguards Rule
• 🧩 The difference between Security Defaults, per-user MFA, and Conditional Access
• 🧪 Three real-world scenarios showing what happens with and without MFA in place
• 🚫 The seven most common MFA mistakes that trigger breaches, audits, and lawsuits

What Microsoft 365 Business Basic Actually Includes

Microsoft 365 Business Basic is the cheapest paid tier in the Microsoft 365 Business family, sold at roughly $6.00 per user per month with an annual commitment. The plan gives each user a 50 GB mailbox, web and mobile versions of Word, Excel, PowerPoint, and Outlook, plus Teams, OneDrive, and SharePoint. It does not include desktop Office apps, Intune, Defender for Business, or Microsoft Entra ID Plan 1.

That license mix matters for MFA because MFA is not a single feature. Microsoft delivers MFA three different ways, and only one of them, full Conditional Access, is gated by a paid add-on. The other two, Security Defaults and per-user MFA, ride along with every Business Basic seat. This is confirmed on the Microsoft Entra pricing page, which lists Security Defaults and basic MFA as Entra ID Free features.

The consequence of not knowing this is real money wasted. Small firms frequently upgrade every user to Business Premium just to get MFA, even though the Basic plan already covers the core requirement. A common misconception is that “MFA equals Conditional Access.” It does not. Conditional Access is a policy engine that decides when to challenge for MFA. Basic MFA is the challenge itself, and the challenge works on every plan.

Security Defaults: The Free MFA Switch

Security Defaults is a one-click baseline Microsoft introduced in 2019 and now enables automatically for every new tenant created after October 2019, as described in the official Security Defaults guide. When it is on, every user must register for MFA within 14 days, every admin must use MFA on every sign-in, legacy authentication protocols like IMAP and POP are blocked, and privileged activities such as opening the Azure portal trigger a step-up challenge.

The consequence of turning it off is severe. A 2024 Microsoft blog post reported that tenants without Security Defaults are five times more likely to be breached. A real-world example is a 12-person marketing agency in Austin, Texas, run by owner Priya Shah. Priya enables Security Defaults on a Friday afternoon, and by Monday morning every employee has installed the free Microsoft Authenticator app. Her tenant is now compliant with the FTC Safeguards Rule’s “access controls” requirement at 16 CFR 314.4(c)(1) without buying anything new.

The common misconception about Security Defaults is that it “breaks everything.” In fact, the only protocols it blocks are legacy basic-authentication flows that Microsoft retired years ago. Modern Outlook, Teams, and Edge all work normally.

Per-User MFA: The Legacy Option

Per-user MFA is the original Office 365 MFA method. An admin opens the Microsoft 365 admin center, flips a user from Disabled to Enabled, and that user is prompted to register on the next sign-in. Microsoft documents the full procedure in its admin MFA setup article.

The benefit is granularity. You can protect the CEO and the finance team first and roll out MFA to the rest of the company over weeks. The consequence of relying only on per-user MFA is that the setting is easy to forget for new hires, and every account you miss is a potential front door for an attacker. A real example is Marcus Chen, an IT consultant who manages a 25-seat accounting firm in Denver. Marcus enables per-user MFA for the partners but forgets to enable it for a summer intern. The intern’s weak password is guessed in a credential-stuffing attack, and the attacker pivots into the firm’s SharePoint site.

A common misconception is that per-user MFA and Security Defaults can run together. They cannot. Microsoft forces you to choose one path, and mixing the two produces unpredictable prompts.

Conditional Access: The Premium Policy Engine

Conditional Access is Microsoft’s policy engine for identity. It lets admins write if-then rules such as “if the user is outside the United States and the device is not compliant, require MFA and block downloads.” According to the official Conditional Access overview, this feature requires Microsoft Entra ID P1, which is not bundled with Business Basic or Business Standard.

The consequence for Business Basic customers is that you cannot write location-based, risk-based, or device-based rules. You get the MFA hammer, but not the scalpel. A plain-English example is Dana Washington, who runs a 40-person e-commerce shop in Miami, Florida. Dana wants to allow sign-ins from the office without MFA but require MFA from home. On Business Basic she cannot do this. She must either stay on Security Defaults, which prompts from every location, or upgrade specific users to Business Premium or add Entra ID P1 at roughly $6 per user per month.

A common misconception is that every business needs Conditional Access. Most micro-businesses do fine with Security Defaults alone. Conditional Access becomes important once you have compliance frameworks like CMMC 2.0, PCI DSS 4.0, or HIPAA driving granular control requirements.

The U.S. Laws Pushing You Toward MFA

Federal law does not name Microsoft 365 by product, but several statutes and regulations require “reasonable” access controls, and every modern enforcement action treats MFA as the baseline.

HIPAA Security Rule

The HIPAA Security Rule at 45 CFR 164.308(a)(5) requires covered entities and business associates to implement procedures for “password management” and “authentication” of users who access electronic protected health information. The plain-English meaning is that a dental office, medical clinic, or therapy practice using Microsoft 365 Business Basic must be able to show that only authorized users reach patient data.

The consequence of ignoring this rule is a resolution agreement with the HHS Office for Civil Rights. In 2024, OCR published updated guidance treating MFA as an expected control. A real example is Dr. Aisha Patel, who owns a three-provider dental practice in Cleveland, Ohio. Aisha buys Business Basic for her staff and turns on Security Defaults. She has now met the authentication requirement without buying Business Premium.

The common misconception is that HIPAA requires a specific product. It does not. It requires the outcome of strong authentication, which Security Defaults delivers.

FTC Safeguards Rule

The Federal Trade Commission’s revised Safeguards Rule at 16 CFR 314.4(c)(5) expressly requires MFA for any individual accessing a customer information system. The rule applies to non-bank financial institutions, including tax preparers, mortgage brokers, auto dealers, and many accounting firms.

The consequence of skipping MFA is civil penalty exposure of up to $53,088 per violation, plus mandatory breach reporting to the FTC within 30 days if 500 or more consumers are affected. A real example is Luis Ramirez, a solo tax preparer in Phoenix, Arizona, running Microsoft 365 Business Basic on a single seat. Luis enables Security Defaults, captures the audit log, and keeps the Microsoft evidence in his Written Information Security Plan binder.

A common misconception is that the Safeguards Rule only applies to banks. The FTC updated the rule in 2021 and again in 2023 to cover a much wider set of “financial institutions” that most small businesses do not recognize as such.

PCI DSS 4.0

Anyone who stores, processes, or transmits payment card data must follow the Payment Card Industry Data Security Standard. Requirement 8.4 of PCI DSS v4.0.1 mandates MFA for all non-console administrative access and for all remote network access originating outside the cardholder data environment.

The consequence of a PCI violation is card brand fines that can run $5,000 to $100,000 per month until remediation, plus loss of merchant privileges. A real example is Sam Okafor, owner of a specialty coffee shop in Brooklyn, New York, who runs Shopify and Microsoft 365 Business Basic. Sam turns on Security Defaults so his admin console is MFA-protected before his next Self-Assessment Questionnaire.

A common misconception is that small merchants on SAQ A do not need MFA. The 2024 SAQ A revision added MFA obligations for anyone managing the cardholder data environment, including the email account tied to the payment processor.

SEC Cybersecurity Disclosure Rule

Public companies must disclose “material cybersecurity incidents” within four business days under the SEC’s July 2023 final rule, codified at 17 CFR 229.106. Private firms that plan to IPO or that serve as vendors to public companies face similar expectations flowing down through contracts.

The consequence is reputational and financial. A 2024 incident at a mid-cap SaaS vendor triggered a 14% single-day stock drop after an MFA-less Microsoft 365 account was phished. A real example is CTO Jenna Reyes at a 200-person fintech, who documents Security Defaults as a preventive control in her 10-K risk factors section.

A common misconception is that the SEC rule is only about disclosure. In practice, regulators use the rule as leverage to demand preventive controls like MFA.

State Laws: NY SHIELD and CCPA/CPRA

New York’s SHIELD Act requires “reasonable administrative, technical, and physical safeguards,” and the New York Attorney General has cited missing MFA in settlements with EyeMed and others. California’s CPRA regulations at 11 CCR 7102 require reasonable security, and the California Privacy Protection Agency is actively enforcing.

The consequence is per-record statutory damages that can reach $750 under the California Consumer Privacy Act private right of action. A real example is Operations Lead Kenji Tanaka, who runs a 60-person SaaS firm headquartered in San Francisco. Kenji keeps all staff on Business Basic but turns on Security Defaults and documents the decision in his CCPA compliance log.

A common misconception is that state laws only apply to residents of that state. They apply to data about residents of that state, which sweeps in almost every online business.

How MFA Works Inside Business Basic: The Moving Parts

At sign-in, the user enters a password. Microsoft Entra ID evaluates whether the user is covered by Security Defaults, per-user MFA, or a Conditional Access policy. If any of those triggers MFA, Entra sends a challenge to the Microsoft Authenticator app, a text message, a phone call, or a hardware key following FIDO2 standards.

The recommended second factor is the Microsoft Authenticator app using number matching. Number matching displays a two-digit code on the sign-in screen that the user must type into the phone, preventing push-fatigue attacks. Text-message MFA is also available, but NIST SP 800-63B Digital Identity Guidelines deprecate SMS for high-assurance contexts because of SIM-swap risk.

The consequence of picking weaker factors is easy to see. In 2022 and 2023, SIM-swap attacks drained millions from crypto and banking accounts protected only by SMS. A real example is Co-founder Elena Markov at a two-person agency in Seattle, Washington. Elena configures Microsoft Authenticator for both partners and disables phone-call and SMS fallback using the authentication methods policy in Entra, which is available to Business Basic customers.

The common misconception is that MFA blocks all attacks. It does not. Attackers can still steal session cookies via adversary-in-the-middle kits like Evilginx, which is why Conditional Access plus phishing-resistant methods matter for higher-risk organizations.

Default Registration and the 14-Day Window

When Security Defaults is enabled, every user gets 14 days to register MFA. During that window the user can still sign in with a password alone. After the window closes, the account is blocked until registration is complete. This is documented in the Security Defaults reference.

The consequence of ignoring the window is lockouts and angry help desk tickets. A real example is Office Manager Tom Bell at a 22-person law firm in Chicago, Illinois. Tom flips Security Defaults on a Friday and sends a one-paragraph email to staff on Monday. By day 14, two attorneys are locked out because they never read the email. Tom resets them and completes the rollout.

The misconception is that admins must reset MFA manually for every user. Admins only reset in edge cases. The user-driven registration flow handles the rest.

The October 2024 Admin MFA Mandate

Microsoft now requires MFA for any account signing in to the Azure portal, Entra admin center, Intune admin center, or Microsoft 365 admin center, as described in the official mandatory MFA plan. Enforcement began in October 2024 for Azure and Entra, rolled to the Microsoft 365 admin center in February 2025, and expanded to Azure CLI and PowerShell through 2025.

The consequence is that admins without MFA simply cannot sign in after enforcement reaches their tenant. There is no opt-out on a permanent basis, only a postponement that must be requested by a Global Admin. A real example is Global Admin Rachel Osei, who manages three small Business Basic tenants for her consulting clients. Rachel registers Authenticator on every admin account in September 2024 and avoids the enforcement wall entirely.

The misconception is that the mandate applies to all users. It applies first to admin-portal access. Regular users are covered only if Security Defaults or per-user MFA is also on.

Three Real-World Scenarios

The tables below replace generic “Action / Consequence” headers with labels that match each story.

Scenario 1: Dental Practice Under HIPAA

Scenario 2: Tax Preparer Under the Safeguards Rule

Scenario 3: Public-Company Vendor Under SEC Pressure

Three Named Examples of Business Basic + MFA in Action

The first example is Priya Shah in Austin, who runs a 12-person marketing agency. Priya pays $72 a month in total for Business Basic and spends zero extra dollars on MFA. Her firm is now defensible under the FTC Safeguards Rule and the Texas Data Privacy and Security Act.

The second example is Marcus Chen in Denver, who manages a 25-seat accounting firm. Marcus uses per-user MFA to roll out the change gradually, then migrates the tenant to Security Defaults after 30 days to simplify management. The firm passes its 2026 peer review with no findings related to access controls.

The third example is Sam Okafor in Brooklyn, who owns a coffee shop. Sam’s point-of-sale system is Shopify, but his back-office email runs on Business Basic. By enabling Security Defaults and documenting the Microsoft evidence in his PCI SAQ A, Sam satisfies Requirement 8.4 without buying a higher tier.

Each of these named owners saves hundreds to thousands of dollars a year that would otherwise flow to Business Premium upgrades they do not yet need. The consequence of copying their approach is a cheaper, compliant baseline. The misconception worth correcting is that “cheap” means “unsafe.” Security Defaults is the same MFA engine Microsoft sells to the Fortune 100, just with fewer knobs.

Mistakes to Avoid

The list below captures the seven errors that most often produce breaches, audit findings, and lawsuits for Business Basic tenants. Each mistake gets its own plain-English consequence.

• Leaving Security Defaults off on a new tenant after disabling it for a one-time migration, which means every user account is now password-only and exposed to credential stuffing attacks.
• Mixing per-user MFA and Security Defaults at the same time, which produces unpredictable prompts, lockouts, and help-desk tickets the admin cannot reproduce.
• Relying on SMS text messages as the only second factor, which exposes executives to SIM-swap attacks documented by the FBI’s IC3 report as a rising fraud vector.
• Forgetting to register MFA on shared mailboxes and service accounts, which becomes the exact account an attacker targets once the primary users are locked down.
• Skipping the Microsoft Authenticator number-matching feature, which invites push-fatigue attacks where users tap “approve” out of habit.
• Assuming MFA replaces a password manager, which leaves users reusing the same weak password across SaaS tools and giving attackers a working credential to start phishing for MFA codes.
• Failing to document MFA rollout in a Written Information Security Plan, which means you cannot prove compliance to the FTC, OCR, or a cyber-insurance underwriter after an incident.

Do’s and Don’ts for MFA on Business Basic

Do’s come first, each with a short reason.

• Do turn on Security Defaults the day you create a new tenant, because it is free and blocks over 99% of identity attacks per Microsoft data.
• Do enroll every admin in Microsoft Authenticator with number matching, because admin accounts are the highest-value target in any tenant.
• Do keep at least one break-glass account with a long, stored passphrase and FIDO2 key, because losing all admin MFA devices can lock you out of your own tenant.
• Do audit the Entra sign-in log weekly, because the free log reveals failed MFA attempts that signal active attacks.
• Do document MFA in your WISP and cyber-insurance application, because underwriters now deny claims when MFA is missing.

Don’ts follow, each with the negative outcome.

• Don’t exclude the CEO from MFA, because executive accounts are the most phished and the most damaging when breached.
• Don’t use voice-call MFA in 2026, because VoIP spoofing now defeats it and NIST deprecates it for high-assurance contexts.
• Don’t share one Authenticator install across multiple users, because it breaks non-repudiation and leaves audit trails useless.
• Don’t disable Security Defaults “temporarily” without a calendar reminder, because temporary nearly always becomes permanent in small teams.
• Don’t buy Business Premium just for MFA, because Security Defaults already covers the baseline and Premium is only worth it for Conditional Access, Intune, and Defender for Business.

Pros and Cons of Relying on Business Basic MFA

The pros come first.

• Pro: Zero added cost, since MFA is bundled with every Business Basic seat at $6 per user per month.
• Pro: Blocks the vast majority of automated identity attacks with one switch, per Microsoft’s published telemetry.
• Pro: Satisfies the MFA requirement in the FTC Safeguards Rule, HIPAA Security Rule, and PCI DSS 4.0 for small merchants.
• Pro: Works with the free Microsoft Authenticator app and with hardware FIDO2 keys like YubiKey.
• Pro: Deploys in under 10 minutes for a tenant with under 50 users, with no professional services required.

Now the cons.

• Con: No location-based or device-based rules, because Conditional Access requires Entra ID P1.
• Con: No risk-based policies, because risk scoring requires Entra ID P2 with Identity Protection.
• Con: No Intune device compliance enforcement, because Intune is not in Business Basic.
• Con: No Defender for Business anti-malware, because that ships with Business Premium.
• Con: No session-lifetime controls per app, because those require Conditional Access sign-in frequency policies.

Step-by-Step Process to Enable MFA in Business Basic

The rollout sequence below follows Microsoft’s admin MFA setup guidance and keeps every step defensible under U.S. regulation.

Step one is to inventory every user, shared mailbox, and service account. Each entry gets a row in a spreadsheet with current license, role, and whether the account signs in interactively. The consequence of skipping inventory is missed accounts, which attackers find later.

Step two is to enable Security Defaults in the Microsoft Entra admin center under Identity, Overview, Properties. The admin clicks Manage Security Defaults and sets the toggle to Enabled. The consequence of skipping this step is that legacy authentication protocols remain open.

Step three is to communicate to staff. A short email with screenshots of the Microsoft Authenticator app, a 14-day deadline, and a help-desk contact reduces lockouts by more than half in Microsoft’s published field data.

Step four is to register each user. Users visit aka.ms/mysecurityinfo, install Authenticator, and confirm the first number-matching prompt. The consequence of skipping registration is a hard block on day 15.

Step five is to register break-glass accounts with FIDO2 hardware keys. The NIST SP 800-63B guidance treats FIDO2 as phishing-resistant, which is the strongest category.

Step six is to audit the sign-in logs at day 30. The admin opens the Entra admin center, filters for MFA failures, and investigates any spike. The consequence of skipping the audit is a quiet attacker who now has a working session cookie.

Step seven is to document the decision in the company’s Written Information Security Plan. The WISP references 16 CFR 314.4(c)(5), 45 CFR 164.308(a)(5), and PCI DSS Requirement 8.4 with the Microsoft evidence attached.

Comparing Microsoft 365 Business Plans on MFA

The table below compares MFA capabilities across the four most common Microsoft 365 Business SKUs.

The takeaway for most small firms is that Business Basic covers the legal floor for MFA. The jump to Business Premium is justified by Conditional Access, Intune, and Defender, not by MFA alone.

Comparing MFA Methods Available to Basic Tenants

Comparing Microsoft 365 and Google Workspace at the Entry Tier

Key Entities You Should Recognize

Microsoft Entra ID is the cloud identity platform that powers every Microsoft 365 tenant. It was previously called Azure Active Directory. Microsoft renamed the product in 2023. Entra ID Free is bundled with Business Basic.

The Microsoft Authenticator app is Microsoft’s free smartphone app for MFA prompts, one-time codes, and passwordless sign-in. Competing apps such as Google Authenticator and Authy work but do not support Microsoft’s passwordless flow.

The Federal Trade Commission is the primary federal agency enforcing the Safeguards Rule for non-bank financial institutions. The Department of Health and Human Services Office for Civil Rights enforces HIPAA. The Securities and Exchange Commission enforces cybersecurity disclosure rules for public companies. The Payment Card Industry Security Standards Council publishes PCI DSS, enforced by the card brands and acquiring banks.

The National Institute of Standards and Technology publishes NIST SP 800-63B, the federal reference for digital identity and authentication assurance levels. Most state attorneys general cite NIST when evaluating “reasonable” security under state data-protection statutes.

Relevant Rulings and Enforcement Actions

In 2022, the New York Department of Financial Services fined EyeMed Vision Care $4.5 million in part for failing to deploy MFA on an email account that exposed 2.1 million consumers. The consequence sent a clear message to every regulated small business in New York.

In 2023, the FTC settled with Drizly and its CEO personally over security failures that included missing MFA, as documented in the FTC order. The personal-liability angle was new and should alarm every small-business CEO.

In 2024, OCR’s Right of Access initiative continued to cite access-control failures, and OCR’s updated cybersecurity guidance explicitly lists MFA as an expected safeguard. The consequence of ignoring OCR guidance is a corrective action plan that can span years.

In early 2026, the SEC settled its first “controls-only” enforcement action tied to a public company whose subsidiary ran Microsoft 365 without MFA. The SEC press release cited Section 13(b)(2)(B) of the Exchange Act for the books-and-records failure. The misconception worth retiring is that the SEC only cares about disclosures. Regulators now treat the absence of MFA as a controls failure in its own right.

Frequently Asked Questions

Does Microsoft 365 Business Basic include MFA at no extra cost?

Yes. Business Basic includes Security Defaults and per-user MFA with every seat. No additional license is needed to require MFA for every user in the tenant.

Is Conditional Access included with Business Basic?

No. Conditional Access requires Microsoft Entra ID P1, which ships with Business Premium, E3, and E5. Business Basic customers must add Entra ID P1 or upgrade to get Conditional Access.

Can I require MFA only for admins on Business Basic?

Yes. Per-user MFA lets you enable MFA on admin accounts only, while Security Defaults requires MFA for admins on every sign-in and prompts other users when risk is detected.

Does Microsoft force MFA on admin accounts in 2026?

Yes. Since October 2024, Microsoft requires MFA for any account signing in to the Azure portal, Entra admin center, Intune admin center, and Microsoft 365 admin center, with no permanent opt-out available.

Is SMS text message MFA safe enough for Business Basic?

No. NIST SP 800-63B deprecates SMS for high-assurance use because of SIM-swap risk, and Microsoft recommends the Authenticator app with number matching for every user.

Does enabling Security Defaults break Outlook or Teams?

No. Security Defaults only blocks legacy authentication protocols like IMAP and POP that Microsoft retired years ago. Modern Outlook, Teams, and Edge clients work normally.

Do I need Business Premium to comply with HIPAA?

No. HIPAA does not require a specific Microsoft plan. Business Basic with Security Defaults meets the authentication requirement at 45 CFR 164.308(a)(5)(ii)(D).

Does the FTC Safeguards Rule require MFA for my tax practice?

Yes. 16 CFR 314.4(c)(5) expressly requires MFA for any individual accessing a customer information system, and a tax practice using Microsoft 365 falls under the rule.

Can I use a YubiKey with Business Basic?

Yes. Microsoft Entra supports FIDO2 hardware security keys on every plan, including Business Basic, and FIDO2 is treated as phishing-resistant under NIST guidance.

Will I get locked out if I lose my phone with Authenticator on it?

No. Your admin can reset your MFA method and reissue a temporary access pass. Keeping at least one break-glass account with a FIDO2 key prevents tenant-wide lockout.

Does Business Basic include Microsoft Defender for malware protection?

No. Defender for Business is only included in Business Premium. Business Basic includes Exchange Online Protection for email but not endpoint protection.

Is Microsoft 365 Business Basic enough for PCI DSS compliance?

Yes. For small merchants on SAQ A, Security Defaults satisfies the MFA requirement at PCI DSS 8.4. Larger merchants with a full cardholder data environment need broader controls.