If there's one thing you do for security this week, make it this. MFA blocks over 99% of account compromise attacks. It takes about 15 minutes to set up and it's included in every Microsoft 365 plan.

Here's how to enable it properly — not just the basic toggle, but the way that actually works for a real business.

The two ways to enable MFA

Microsoft gives you two options. The right one depends on your licence.

Security Defaults is the free option available on every plan. It forces MFA for all users using the Microsoft Authenticator app. Simple, but you can't customise it — it's all or nothing.

Conditional Access is the better option if you're on Business Premium, E3, or E5. It lets you create policies: require MFA only from outside the office, or only for admin accounts, or only when accessing sensitive apps. Much more flexible.

Setting up Security Defaults

Go to entra.microsoft.com → Identity → Overview → Properties.

Scroll to the bottom and click Manage security defaults.

Set it to Enabled and save.

Next time anyone signs in, they'll be prompted to set up the Microsoft Authenticator app. Give your team a heads-up before you do this.

Setting up Conditional Access

Go to entra.microsoft.com → Protection → Conditional Access → Policies.

Click New policy. Give it a name like 'Require MFA for all users'.

Under Users, select All users (exclude your break-glass admin account).

Under Target resources, select All cloud apps.

Under Grant, select Require multifactor authentication.

Set the policy to Report-only first. Check the sign-in logs after a few days to make sure nobody is locked out. Then switch to On.

Getting your team set up

Send your team a quick email before you turn it on. Tell them to download the Microsoft Authenticator app on their phone.

When they next sign in, they'll get a prompt to register. It takes about 2 minutes. If someone doesn't have a smartphone, they can use SMS as a backup, but the app is more secure.

The most common complaint is 'it's annoying'. Once they realise it only prompts them occasionally — not every single sign-in — it settles down within a week.

Common mistakes

Not excluding a break-glass account. If your only admin gets locked out, you need an emergency account without MFA that you keep secured another way.

Turning on Conditional Access without testing in Report-only mode first. Always test.

Forgetting about service accounts. App passwords and service accounts that use legacy authentication will break if you don't handle them first.

If you'd rather have someone set this up properly the first time, we do it as part of our security uplift service. Takes about an hour and we handle the rollout communication to your team as well.