How to Set Up Two-Factor Authentication on Microsoft Account

Your Microsoft account is the gateway to Outlook, OneDrive, Xbox, Microsoft 365, Teams, Azure, and dozens of other services. A compromised Microsoft account can expose work emails, cloud files, and even billing information. Enabling two-step verification (Microsoft's name for 2FA) takes about five minutes and significantly reduces your exposure to password-based attacks.

How to Enable 2FA on Your Microsoft Account

1. Go to account.microsoft.com and sign in.
2. Click Security in the top navigation bar.
3. Under "Advanced security options", click Get started.
4. Under "Two-step verification", click Turn on.
5. Follow the setup wizard. You can choose from an authenticator app, email, phone number, or security key.
6. Microsoft will prompt you to generate an app password for any legacy applications that do not support modern authentication. Save this somewhere safe.

Microsoft 2FA Methods Explained

Microsoft Authenticator App

The Microsoft Authenticator app is available for iOS and Android. It supports two modes: push notifications (tap Approve on a prompt sent to your phone) and TOTP codes (a 6-digit number that refreshes every 30 seconds). Microsoft recommends push notifications with number matching enabled — this requires you to type a number displayed on your computer into the app, which prevents blind approval of attacker-triggered prompts.

Third-Party Authenticator Apps

Microsoft accounts also work with any standard TOTP app, including Google Authenticator, Authy, 1Password, and Bitwarden. To use one, choose "Use an app" during setup and select "Other" to get a QR code rather than being pushed to install the Microsoft app. This is a perfectly valid choice if you already use a different authenticator for your other accounts.

Email or Phone (SMS)

Microsoft can send verification codes to your registered email address or phone number. SMS is the least secure option due to SIM-swap risk, and email is only as secure as your email account itself. Use an authenticator app whenever possible and keep email/phone as a fallback only.

Security Keys

Hardware keys such as YubiKey are supported on Microsoft accounts via FIDO2/WebAuthn. They provide the strongest protection and are phishing-resistant. Worth considering for accounts with access to sensitive business data or Azure resources.

Enabling 2FA for Microsoft 365 Business Accounts

If your Microsoft account is a work or school account managed by an organisation, your IT administrator controls 2FA settings via Azure Active Directory (now Entra ID). The process differs from personal accounts — you typically need to visit aka.ms/mfasetup to register your verification methods, and your admin may require specific methods or enforce Conditional Access policies.

App Passwords for Legacy Apps

Older applications — some email clients, older versions of Office, or third-party tools that connect to Microsoft services — do not support modern authentication and cannot handle 2FA prompts. For these, Microsoft lets you generate app passwords: long random strings that bypass 2FA for that specific app. Go to Security → Advanced security options → App passwords to generate one. Use app passwords only when necessary and revoke them when you no longer need the application.

What to Do If You Are Locked Out

If you cannot access your 2FA method, Microsoft provides several recovery options. You can use a backup verification method (email or phone if configured), your Microsoft account recovery code (generate one in advance from Security settings), or go through the account recovery form at account.live.com/acsr. The recovery process verifies your identity through questions about your account history and recent activity.