Two-step verification provides a layered approach to security. Even the most enterprising attacker would have problems compromising multiple authentication factors, because, even if the attacker obtains a user's password, the password would be useless without also being in possession of the additional authentication method, a mobile phone, for example. Multi-factor authentication works by requiring two or more authentication methods, which typically include something like a password that the user knows, something the user owns, typically a mobile phone, and something the user is, biometrics, for example. Azure MFA offers the ability to safeguard access to apps and data while maintaining a simple end-user experience. By providing additional security via a second form of authentication, MFA provides much sought after security for end-user authentication, and it does so via a range of easy to use authentication methods, including passwords, security questions, email address, application, OATH hardware token, SMS, voice call, and app passwords. Multi-Factor Authentication comes as part of Azure AD Premium.

 A subset of MFA capabilities is also available as part of an Office 365 subscription and as a means to protect Global Administrator accounts. As part of Azure AD Premium, Azure MFA is offered in two flavors, including the Azure Multi-Factor Authentication Service, which is cloud-based, and the Azure MFA Server option, which is a good option for organizations who have deployed ADFS and that want to or need to manage MFA on-prem. Because most users are used to using only passwords to authenticate to applications and services, it's critical that an organization communicate with the user base when rolling out an MFA solution. Doing so will invariably reduce the number of helpdesk calls that come in during any MFA rollout. Now, despite the best laid plans and deployments, there will be times when you may need to disable MFA in a one-off scenario. For example, if a user can't sign in because he has lost access to his authentication methods, a lost phone, for example, in such a case, you could use a conditional access policy for Azure MFA. 

With a conditional access policy in place, you can create a user group that is excluded from the policy that requires MFA. Placing the user in the excluded group would temporarily allow access until MFA functionality or access can be restored. A way to temporarily bypass MFA for Azure MFA Server users is to allow them to authenticate without two-step verification. Such a bypass can be configured but it expires after a specified number of seconds. Two-step verification prompts can be minimized for users that are on the local network. This can be accomplished with trusted IPs or named locations. By leveraging this features, an administrator for a managed or federated tenant can bypass two-step verification for users that are signing in from a trusted network location.