In Microsoft’s Security, Compliance, and Identity (SCI) learning content, Multi-Factor Authentication (MFA) is defined as requiring more than one verification method during sign-in. Microsoft states: “Multi-factor authentication (MFA) requires two or more verification methods” and Azure AD (Microsoft Entra ID) MFA “works by requiring two or more of the following: something you know (password), something you have (trusted device or token), something you are (biometrics).” The SCI fundamentals also explain that MFA strengthens authentication beyond a single password by combining distinct factor types, noting that “strong authentication uses at least two different factors to verify identity.”

When you enable Azure AD MFA, a user must successfully present two factors from those categories to complete the authentication—commonly a password (something you know) plus a second factor such as Microsoft Authenticator approval, a FIDO2 security key, SMS/voice code, or Windows Hello (something you have/are). This is the core of Azure AD’s risk-based and conditional access controls, which can require MFA based on conditions or risk signals. Therefore, the number of factors required after enabling Azure AD MFA is two, aligning with Microsoft’s definition and implementation of multi-factor authentication in Entra ID.