Tip: Properly Secure Your Microsoft Account

When was the last time you checked to make sure your Microsoft account is as securely configured as possible? It’s probably been a while, but properly securing this account should only take a few minutes. Or perhaps more, if it’s in an insecure state.

I’m writing about this now because I’ve spent much of the past several days writing a new chapter for the Windows 11 Field Guide that covers passkeys, security keys, and other related topics. In writing this, I decided to finally do something I’ve wanted to do for years and comprehensively detail how one can secure their Microsoft account. And because I really sweated this one, I ended up rewriting it several times until I felt that it was both approachable and complete, and you’ll be able to see that for yourself soon when it goes live in the book (including the version on this site) soon.

But online account security is tricky. Among the issues, most people have used their Microsoft account for years, and so these accounts were configured in any number of ways, ignored for long periods of time, and they probably include out-of-date information and various misconfigurations. And many might not be taking advantage of the latest passwordless capabilities in this account and on the PCs and devices they use. So I figured it might be worth discussing this outside of the book too.

So let’s get this done. If you’re not already using Microsoft Authenticator or a similar authenticator app on your phone, your Microsoft account is probably in tough shape. So get that installed first: There are versions for Android and iPhone.

Next, open the Microsoft account website using a web browser on your PC and navigate to the Privacy dashboard, authenticating as necessary.

This page provides a Safety review wizard provides a useful high-level overview of where your account is at from a security perspective (among other things). So click the “Get started” under “Make sure you’re safe and secure.” Safety review appears.

In this first step, ensure you have a valid email address and phone number (or two valid email addresses) configured for account recovery. If you don’t, click the appropriate “Add or remove” link and fix them as needed. When both are correct, click “Next” to display the second step, “Secure sign-in.”

This should read “You’re using Microsoft Authenticator.” If it doesn’t, we’ll fix it in a moment.

Either way, you can close or step through the remainder of the Safety review wizard: The next three steps involve Microsoft Edge marketing, more safety resources, and your Microsoft 365 privacy settings (which may be worth examining since you probably have no idea how that’s configured either). When you’re done, navigate to the Microsoft account Security dashboard.

Then, click “Get started” under “Advanced security options” to view the Additional security options page.

Here, you will see your password and the list of the additional ways you previously configured to sign in or verify your identity. If you don’t see “Send sign-in notification” or “Enter a code from an authenticator app” listed here, you need to configure Microsoft Authenticator as an additional sign-in and verification method. But before doing that, look at the “Two-step verification” option in the “Additional security” section below that list.

If this option is set to “On” and you are using Microsoft Authenticator (or a different authenticator app), you’re good to go: Your Microsoft account is in a secure passwordless configuration in which you can sign in or verify it on your PCs, devices, and on the web without having to ever type your password. That is, you don’t just have additional ways to sign in to or verify your Microsoft account, you have configured it to always require an extra step each time you do need to sign in to that account or otherwise verify that account.

If this option is set to “Off,” you will enable it now. So click “Turn on” under “Two-step verification.” An explanatory screen appears.

Click “Next” after you’ve read that. If you aren’t using Microsoft Authenticator (or a different authenticator app), you will be prompted to install that app on your phone and sign-in to your Microsoft account in the app. Do so, and step through the prompts you see in the mobile and in the web browser on your PC. Microsoft will provide you with an account recovery code, and when you return to the Additional security options page on the Microsoft account website, there will be two changes (or one, if you were already using Microsoft Authenticator): There is a new “Send sign-in notification” item in the additional sign-in and verification methods list and Two-step authentication will be set to “On.”

With two-step verification enabled, your account is now more resilient against phishing and other account-related attacks And because you use the Microsoft Authenticator app on your phone to handle any Microsoft account-related sign-in prompts from any and all of your devices, that authentication will be easy and secure: Your phone is protected with biometrics, ideally, or at least a PIN. And that means that a hacker with your username and password won’t be able to get into the account.

Since you’re doing this now, you should also take this time to review your the other security features associated with this account. My recommendations include:

Remove “Text a code” from your additional sign-in and verification methods list. Text-based authentication codes are insecure and easily intercepted. Note that you may need to add additional sign-in and verification methods before you can remove this option (I added a second email account.) Also, removing this option does not remove your phone number from your account, which you can verify on the Your profile page (linked below). But it does remove it as an account recovery option.

Review your profile and account info to make sure it’s up-to-date. On the Microsoft account website’s Your profile page, make sure that your name, date of birth, country or region, language, regional formats, billing and shipping addresses are all correct and up-to-date. Then, do the same for your email address(es) (which include the accounts you use to sign in and any aliases you configured) and phone number(s), removing any that are out-of-date (or, in the case of email aliases, never used) and adding any new email addresses or phone numbers as needed.

Consider going truly passwordless. Microsoft is at the forefront of the push to a passwordless future, and it has allowed Microsoft account holders to remove the password from their account since 2021. This configuration change won’t impact your account usage day-to-day in the slightest—you will continue to authenticate using Microsoft Authenticator, for example–but it may still feel weird. (I haven’t removed the password from my primary MSA, but then I haven’t changed that password in several years either. I just never need it.) You can remove the password on the Microsoft account website’s Additional security options page under the “Additional security” section.

The more out-of-date your account is, the more time this will take. But it’s worth doing, and important to get it right. And please let me know if any of this is unclear or, God help us all, incorrect or incomplete. It’s important that I get this right as well.