how to enable MFA for a single user

Question

how to enable MFA for a single user

Jerome James 0

I need some guidance on how setup MFA for one user in my company.

Sridevi Machavarapu 26,355 Reputation points Microsoft External Staff Moderator

2026-04-06T17:08:30.7933333+00:00
Hello Jerome James,

You’ve got a couple of straightforward ways to force just one user to do MFA in Entra ID—either with the legacy per-user MFA toggle or with a Conditional Access policy (recommended if you have P1/P2 licenses). Here’s how to do each:

Enable legacy per-user MFA (no extra license needed)

Sign in to the Entra admin center (https://entra.microsoft.com) as an Authentication Policy Administrator

Go to Identity > Users > All users, then click Per-user MFA

Find and select your user, click Enable MFA and confirm

Tell the user they’ll be prompted to register MFA (phone, Authenticator app, etc.) the next time they sign in

Create a Conditional Access policy (requires Entra ID P1 or P2)

In the Entra admin center, navigate to Security > Conditional Access > + New policy

Give it a name (e.g., “MFA for Jerome”)

Under Users or workload identities, choose Select users and groups and pick your single user

Under Cloud apps or actions, choose All cloud apps (or target specific apps)

Under Grant, select Grant access and check Require multifactor authentication

Turn Enable policy to On and hit Create

That policy will now only kick in for that one user

(Bonus) Automate via Microsoft Graph You can also flip the per-user MFA flag via Graph API by PATCHing the user’s authentication/requirements record (perUserMfaState = “enabled” or “enforced”).

Hope this helps you lock down MFA for just that one account!

Reference docs

Enable per-user MFA: https://dotnet.territoriali.olinfo.it/entra/identity/authentication/howto-mfa-userstates

Conditional Access MFA tutorial: https://dotnet.territoriali.olinfo.it/entra/identity/authentication/tutorial-enable-azure-mfa

Graph API perUserMfaState: https://dotnet.territoriali.olinfo.it/graph/api/authentication-update

Note: This content was drafted with the help of an AI system.
Sridevi Machavarapu 26,355 Reputation points Microsoft External Staff Moderator

2026-04-08T22:35:57.24+00:00

Hello Jerome James,

Any update on this? Please confirm if you still have further queries on this.

1 answer

Your answer

Sridevi Machavarapu 26,355 Reputation points Microsoft External Staff Moderator

2026-04-08T22:35:57.24+00:00

Hello Jerome James,

Any update on this? Please confirm if you still have further queries on this.

Answer 1

To enable Microsoft Entra multifactor authentication (MFA) for a single user, configure per-user MFA in the Microsoft Entra admin center.

Sign in to the Microsoft Entra admin center
- Go to https://entra.microsoft.com and sign in with an account that has at least the Authentication Policy Administrator or Authentication Administrator role.
Open the per-user MFA page
- Browse to Identity > Users > All users.
- Select Per-user MFA to open the Per-user multifactor authentication page.
Enable MFA for the specific user
- On the multi-factor authentication page, find and select the user account that should have MFA.
- Select Enable MFA.
- Confirm the selection in the pop-up window.
Inform the user
- After enablement, the user will be prompted to register MFA the next time they sign in.
- During registration, the user can set up the Microsoft Authenticator app or another allowed method as their second factor.

Notes:

When a user in Enabled state completes MFA registration, the state automatically changes to Enforced.
Enabling per-user MFA applies MFA to all sign-in events for that user unless Conditional Access policies specify otherwise.

References:

Share via

how to enable MFA for a single user

1 answer

Your answer