Why MFA Matters
Multi-factor authentication (MFA) is the single most effective control you can deploy to prevent unauthorized account access. Microsoft reports that MFA blocks over 99.9% of automated account compromise attacks. If your organization uses Microsoft 365 without MFA, you are leaving the front door open.
MFA works by requiring a second form of verification beyond a password. Even if an attacker obtains a user's password through phishing or a data breach, they cannot access the account without the second factor.
Before You Start
You need the following to complete this setup:
- Global Administrator or Authentication Administrator role in Microsoft Entra ID (formerly Azure AD)
- Access to the Microsoft Entra admin center
- A plan for communicating the change to your users before enforcement
Option 1: Security Defaults (Recommended for Most Small Businesses)
Security Defaults is Microsoft's built-in baseline that enforces MFA for all users. It is the fastest way to enable MFA across your entire tenant.
Steps
- Sign in to the Microsoft Entra admin center
- Navigate to Identity > Overview > Properties
- Select Manage security defaults
- Set the toggle to Enabled
- Click Save
What Security Defaults Enforce
- MFA registration for all users within 14 days
- MFA challenge on every sign-in from a new device or location
- Blocking of legacy authentication protocols (IMAP, POP3, SMTP basic auth)
- Requiring MFA for all administrative actions
Limitations
Security Defaults do not allow you to exclude specific users, configure trusted locations, or use Conditional Access policies. If you need that level of control, use Option 2.
Option 2: Conditional Access Policies (For More Control)
Conditional Access gives you granular control over when and how MFA is required. This requires Microsoft Entra ID P1 licensing, which is included with Microsoft 365 Business Premium. Athencia deploys Business Premium for all managed clients specifically because it includes Conditional Access, Intune, and Defender for Office 365. Business Basic and Business Standard do not include Conditional Access, so organizations on those tiers are limited to Security Defaults.
Steps
- Sign in to the Microsoft Entra admin center
- Navigate to Protection > Conditional Access > Policies
- Click + New policy
- Name the policy (e.g., "Require MFA for all users")
- Under Assignments > Users, select All users
- Under Assignments > Target resources, select All cloud apps
- Under Grant, select Require multifactor authentication
- Set Enable policy to On
- Click Create
Recommended Additions
- Exclude a break-glass admin account from the policy so you are never locked out
- Add a trusted location for your office network to reduce MFA prompts for on-site work
- Require compliant devices in addition to MFA for sensitive applications
Helping Your Users Through the Transition
Rolling out MFA without communication causes frustration and support tickets. Here is a practical rollout approach:
- Notify users 1 week before enforcement. Explain what is changing and why.
- Send setup instructions with screenshots of the Microsoft Authenticator app installation process.
- Allow a registration window. Security Defaults give users 14 days to register.
- Designate an internal point of contact for questions during the first week.
Recommended Authenticator Apps
- Microsoft Authenticator (preferred for Microsoft 365 environments)
- Google Authenticator
- Authy
Hardware security keys (FIDO2) are the strongest option for high-value accounts. YubiKey is the most common choice.
For password management alongside MFA, 1Password pairs well with any authenticator setup. It stores passwords securely and can generate strong, unique passwords for every service. Athencia includes 1Password in its Athencia One Complete package and offers it as an add-on for Athencia One clients.
Verifying MFA Is Active
After enabling MFA, verify it is working:
- Go to the Entra admin center > Users > All users
- Select a user and go to Authentication methods
- Confirm the user has registered at least one MFA method
You can also run the MFA registration report under Protection > Authentication methods > Activity to see registration status across all users.
Common Issues
| Issue | Cause | Fix |
|---|---|---|
| User cannot register for MFA | Legacy browser or blocked pop-ups | Use Edge or Chrome, allow pop-ups for microsoft.com |
| MFA prompt on every sign-in | No trusted device or location configured | Add office IP as trusted location in Conditional Access |
| App passwords not working | Legacy apps using basic auth | Migrate to modern authentication or create app-specific passwords |
| Locked out after phone loss | No backup method registered | Use break-glass account to reset; require backup methods during registration |
Summary
Enabling MFA is the highest-impact security action you can take for your Microsoft 365 environment. Security Defaults work well for most small businesses. Organizations needing granular control should use Conditional Access policies. Either way, communicate the change to your users before enforcing it.
MFA protects against password-based attacks, but it is one layer in a broader security stack. Athencia pairs MFA with Huntress Managed ITDR, which monitors identity-based threats across your Microsoft Entra ID environment around the clock. If an attacker bypasses MFA through token theft, session hijacking, or social engineering, Huntress's 24/7 SOC team detects and responds to the threat in real time.
If you need help configuring MFA or rolling it out across your organization, contact Athencia. We handle this as part of every onboarding.
