Free Cyber Security AssessmentGet your personalised report in under 10 minutes
TheLogic IT Solutions Logo20 Years in Business
← Back to Resources

Cyber Security

How to Configure Multi-Factor Authentication (MFA)

Updated 22 April 2026

Multi-factor authentication is the single most effective security control you can roll out. Microsoft's own data puts the reduction in account compromise at 99.2%. And yet in about half the businesses we audit, MFA is either off, only enabled for admins, or enabled per-user but not actually enforced. This guide walks through setting it up properly.

What MFA actually is

Instead of logging in with just a password, users also confirm their identity with a second factor, usually an approval prompt on a phone app. If someone steals the password, they still can't log in without the phone. That's the whole value.

There are several kinds of second factor, in rough order of strength:

  • FIDO2 / hardware keys (YubiKey, Titan): Strongest, phishing-resistant
  • Authenticator app with number matching (Microsoft Authenticator, Authy): Strong, resists most phishing
  • Authenticator app with simple push: Good, but vulnerable to MFA fatigue attacks
  • SMS or voice call: Weakest, SIM-swappable, only use as a fallback

For most SMEs, Microsoft Authenticator with number matching is the right default.

Step 1: Enable Security Defaults (smallest tenants)

If you're on Microsoft 365 Business Basic or Standard and have fewer than 25 users, Security Defaults is the quickest path. It enforces MFA for everyone, blocks legacy authentication, and protects admin accounts, all with one switch.

  1. Sign in to the Microsoft Entra admin centre as a Global Administrator.
  2. Go to Identity → Overview → Properties.
  3. Scroll to Security defaults and toggle it to Enabled.
  4. Click Save.

That's it. Every user will be prompted to register MFA the next time they sign in.

Step 2: Conditional Access (Business Premium and above)

If you have Microsoft 365 Business Premium or an E3/E5 licence, use Conditional Access instead. It's more flexible, you can require MFA on risky sign-ins, allow a trusted office IP to skip the prompt, or demand a compliant device.

  1. In the Entra admin centre go to Protection → Conditional Access → Policies.
  2. Click New policy.
  3. Under Users, select All users, then exclude at least one break-glass admin account that you've set up with a long random password stored offline.
  4. Under Cloud apps, select All cloud apps.
  5. Under Grant, tick Require multifactor authentication.
  6. Turn the policy on in Report-only mode first for a day or two to see who would be affected.
  7. Once you're confident, flip it to On.

A second policy blocking legacy authentication should always go alongside this, attackers love it because it bypasses MFA entirely.

Step 3: Register users

Send each user a short note telling them:

  • Download Microsoft Authenticator from the App Store or Play Store
  • Sign in at https://aka.ms/mfasetup and follow the prompts
  • Add their work account, scan the QR code, done

Enable number matching, it's on by default for new tenants but may be off on older ones. Users type a number from the sign-in screen into the app, rather than just tapping Approve. This stops MFA fatigue attacks where attackers spam approval requests until someone taps one by accident.

Step 4: Plan for lost phones

This trips up every rollout. People lose phones, change devices, and leave the business. Decide upfront:

  • Who can reset MFA?, at minimum one IT admin plus a backup person
  • Self-service reset, users can pre-register a second method (backup phone number) via https://aka.ms/setupsecurityinfo. Encourage this.
  • Temporary access passes, in the Entra admin centre you can issue a one-time code that lets a user sign in and re-register MFA without a password reset

Step 5: Cover the other systems

MFA on Microsoft 365 is the biggest single win, but don't stop there. Enable it on:

  • Your firewall / VPN
  • Remote desktop gateways
  • Accounting software (Xero, Sage, QuickBooks)
  • Your domain registrar and DNS provider
  • The password manager itself
  • Banking and payroll portals

Anything that matters should have MFA. Anything with MFA should be using an authenticator app, not SMS, wherever possible.

Common objections

"It'll annoy people.", Configure the prompt to remember devices for 30 days. Most users enter MFA once a month.

"Our old app doesn't support MFA.", It's almost certainly using legacy auth, which is a bigger security problem than the MFA hassle. Find a replacement or put it behind a VPN that does have MFA.

"What about our shared inbox?", Shared mailboxes in Microsoft 365 don't need their own MFA (they don't sign in) but every user with access must have MFA.

That's it

For a 20-person business, rolling out MFA properly is a couple of hours of work plus a week of support. The payoff is that the single most common route to a serious incident, credential theft, just stops working.

If you'd like help with the rollout or a review of your existing setup, get in touch.