In today’s world, the use of multiple layers of security has become a requirement.  Gone are the days when just the password would suffice.  Now, many companies across corporate America are requiring Two Factor Authentication, and in many cases, Multifactor Authentication (MFA).  This is the situation where at least three or more authentication mechanisms are used to confirm the identity of an end user.

In this article, we do a deeper dive into it, and examine the licenses that come with MFA when using Microsoft tools.

The Deeper Dive

MFA works on the following three principles:

  • Something you know – such as a passphrase
  • Something you have – such as an RSA Token
  • Something you are – this can include biological and behavioral traits about yourself.

You must use two or more of these authentication methods.

MFA is illustrated in the diagram below:

(SOURCE:  1).

At the present time, Microsoft allows the following mechanisms to be used in an MFA approach:

  • The Microsoft Authenticator app;
  • The Windows Hello for Business;
  • The FIDO2 security key;
  • The OATH hardware token;
  • OATH software token;
  • Text Messaging making use of One Time Passwords (OTPs);
  • A telephone call.

However, this is not by any means an inclusive list, and pending upon approval from the IT Security team, end users can also add in other types of authentication mechanisms, by going to

For the more general permissions, you can activate the Microsoft Authenticator which will give only the most basic permissions, rights, and privileges to all of the employees in your company.  By taking this ground up approach, you can then add further what is needed by the employee in order to complete their job, still following the concepts of Least Privilege.

If you need to establish more granular levels of control, you can make use of the Conditional Access tool set in Azure.  More information about it can be seen here.

This is illustrated in the diagram below:


(SOURCE:  1).

The Licensing For MFA

At the present time, the following licenses are available:

  • The Free One:

If you currently have an Office 365 account, there is no cost for using the MFA tools. However, the free version does not include Azure Conditional Access.

  • The Microsoft suite that includes an Azure Active Directory P1 or P2 license does include Azure Conditional Access support. With these licenses, the administrator can configure a number of options such as:
  • Conditional Access controls that can be used to grant granular controls over the login and how MFA can be used to verify the user account. You can enable controls for a user or a group of them.
  • Restriction on Office 365 login access

Note the following:

Premium P1 comes with Enterprise Mobility, Security E3,  Microsoft 365 FE3, F3 and Business Premium.

Premium P2 comes with Enterprise Mobility, Security E5, and Microsoft 365 E5.


Overall, this article has examined what MFA is, and the various licensing schemes that come with it when you are in Azure.  If you have any questions about this, please contact us today.