Microsoft will soon enable multi-factor authentication (MFA) for all high-privileged Azure AD accounts, the company said on Friday.

The MFA feature will be part of Microsoft Azure AD's "baseline policy," a set of security features that are enabled for accounts to support a minimum of security measures.

The "MFA-by-default for admin accounts" baseline policy is currently in a public preview phase, and any Azure AD customer can enable it by following the steps described here.

Microsoft says that once the feature goes out of "public preview" and into "general availability," the following Azure AD account types will be prompted to configure multi-factor authentication settings to access their accounts.

Global administrator

SharePoint administrator

Exchange administrator

Conditional access administrator

Security administrator

Azure AD multi-factor authentication options include:

Call to phone

SMS security code

Notification through mobile app

OATH verification code from mobile app

Azure AD tenants can opt out if it's an inconvenience

Azure AD tenants can opt out of using this baseline policy for their organization, if they wish to, albeit security researchers advise against it.

"Attackers who get control of privileged accounts can do tremendous damage, so it’s critical to protect these accounts first," said Alex Simons, Director of Program Management, Microsoft Identity Division.

#AzureAD baseline security policy for Admin accounts is now in public preview https://t.co/S0Cy8Wv6vo pic.twitter.com/3mL6qghRPM — Alex Simons (@Alex_A_Simons) June 22, 2018

We already manually enable MFA for admin accounts, but this makes the whole process much easier and less prone to mistakes. Set and forget! #AzureAD #MFA https://t.co/E5WV7ncShq — Gerbrand van der Weg (@gerbrandvdweg) June 22, 2018

Office365/Azure will soon force high-powered admin accounts to use 2FA, unless you specially go in and turn it off for your organization.

Good stuff. Good direction. https://t.co/jzMZtrRLxd — SwiftOnSecurity (@SwiftOnSecurity) June 22, 2018

Third Azure AD feature launched last week

Last week, Microsoft also announced the public preview of two other Azure AD tools. The first is named Azure AD Password Protection and was designed to help customers eliminate easily guessable passwords from their setups.

The second is named Azure AD Smart Lockout and is a tool that detects brute-force attacks and temporarily locks access to the targeted accounts.

In 2016, Microsoft decided to ban users from using passwords that had been included in leaked lists of passwords that originated from data breaches at other companies.

At the time, Microsoft said its infrastructure handled over 13 billion authentications per day, of which 1.3 billion were for Azure AD accounts. Of these 13 billion, Microsoft said over 10 million authentication requests were malicious in nature.