As usual, a wonderfully precise, straight to the point video. Thank you.

dude i am binging on all of your videos - i learned so much man - keep it up.

Enforced means the user has completed the MFA registration. Enabled means they have not and have 14 days by default or will be forced. I’d you don’t want MFA you simply don’t click enable MFA. You should never click enforce unless they have previously registered according to MS. Good video

Enjoyed this. What is frustrating is that some parts of 365 can show MFA not configured, but it IS configured, under Conditional Access.

So the new method that they're trying to migrate people to. If that's done. Do you still need to come into this 'legacy' section and click 'enable' or 'enforce' for people. It seems like this is still needing to be done, it's just the service settings part that is moving or shifting.

I've enabled MFA for half my users using per user method. If i was to enable it now for everyone, via defaults, will the previous, already enrolled users be affected as well? I'd love to get 50% less phone calls about forgotten passwords during deployment.

If only the administrator has the Premium license and has set Conditional Access, then the regular users who have Basic or Standard license, what policy do they follow?

Security Defaults mandates that normal users must *setup* MFA (within 14 days) but *does not* mandate its use, except when the system determines the sign-in as 'risky' e.g. last sign-in was from UK, then suddenly the next is from Africa, or if the user is resetting their own password. Security Defaults mandates MFA registration *and use* for all administrative roles e.g. Global Admin, User Admin etc. Google 'Security defaults in Microsoft Entra ID' for further info. I think this is a nice balance between security and user convenience, imho.

You and Andy are my Hero's!!!! This video is absolutely amazing, and I'm actively implementing the strategies outlined here. However, I'm facing a challenge in my environment. Somehow, the 'Verify by Phone' feature got activated for my users. We're planning a full rollout in the 2nd or 3rd week of January, and I need this phone verification feature turned off temporarily until we complete our user migration. My plan is to enable all multi-factor authentication (MFA) and phone verification after 90+ days post-migration. Any advice on how to manage this would be greatly appreciated!

Hey buddy kindly create a tutorial on insider risk management

Per User is deprecated..