How to Set Up Multi-Factor Authentication (MFA) in Microsoft 365

Why MFA Is Essential for Microsoft 365

The majority of Microsoft 365 account compromises involve stolen or guessed passwords. Phishing campaigns harvest credentials at scale, credential stuffing attacks try passwords leaked from other services, and password spray attacks try common passwords against large numbers of accounts. A stolen password alone is enough to access an M365 account without MFA — with MFA, that stolen password is useless to an attacker.

Microsoft reports that MFA blocks over 99% of account takeover attacks. The NCSC recommends MFA as one of the most important cybersecurity controls for any organisation. Stolen or compromised credentials were the initial attack vector in 22% of data breaches globally in 2024, making credential protection through MFA directly relevant to most breach scenarios.

How MFA Works in Microsoft 365

When MFA is required, signing in to Microsoft 365 involves two steps: entering the password, then completing a second verification. The second factor can be: an approval prompt in the Microsoft Authenticator app (recommended); a time-based one-time code (TOTP) from an authenticator app; a phone call; an SMS code (less secure, but better than no MFA); or a hardware security key (FIDO2 standard — the most secure option).

Microsoft Authenticator is the recommended MFA method for most business users. It supports number matching — the user must enter a number shown on the login screen into the app, preventing simple MFA fatigue attacks where attackers bombard users with approval prompts hoping for an accidental approval. It also shows the location and application requesting access, helping users identify suspicious requests.

The Right Way to Enable MFA: Conditional Access

Microsoft 365 provides two mechanisms for enabling MFA: legacy per-user MFA settings (accessed through the user management portal) and Conditional Access policies (available with Entra ID P1, included in M365 Business Premium). AMVIA recommends Conditional Access for several important reasons.

Legacy per-user MFA settings are applied inconsistently and can be bypassed. Legacy email protocols — IMAP, POP3, basic SMTP authentication — do not support MFA and will authenticate using just a password regardless of per-user MFA settings. Conditional Access can block these legacy protocols entirely, eliminating this bypass. Conditional Access also allows more granular policy — requiring MFA for all applications, requiring step-up authentication for admin actions, and applying risk-based policies that require MFA when a sign-in looks suspicious.

For businesses on M365 Business Basic or Standard (which do not include Entra ID P1), Security Defaults provides a simplified set of pre-configured policies that enforce MFA for all users and block legacy authentication — a significant improvement over no MFA, though less flexible than full Conditional Access.

Protecting Admin Accounts

Admin accounts are the highest-value targets in any Microsoft 365 environment — a compromised Global Admin account gives an attacker unrestricted access to the entire tenant. Admin accounts should receive stronger MFA than standard user accounts.

AMVIA recommends phishing-resistant MFA for all admin accounts — either FIDO2 hardware security keys or Windows Hello for Business. Unlike app-based MFA, phishing-resistant MFA cannot be intercepted through adversary-in-the-middle attacks. Combined with Privileged Identity Management (PIM), which limits admin role activation to specific, time-limited sessions with approval workflow, admin accounts are significantly more resistant to compromise.

Handling MFA Rollout

Rolling out MFA to an existing Microsoft 365 environment requires careful planning to avoid disrupting users. AMVIA recommends: communicating to staff what is changing and why; using Conditional Access in report-only mode first to understand the impact; deploying Microsoft Authenticator to all users before enforcement; testing with a pilot group; then progressively expanding to the full user population. Common issues during rollout include users without smartphones needing an alternative second factor, and applications that use legacy authentication needing to be identified and addressed before legacy authentication blocking is enforced.

Key Considerations for UK SMEs

• Enforce MFA through Conditional Access, not per-user settings — Conditional Access is more reliable and adds additional controls
• Block legacy authentication simultaneously with MFA enforcement — this eliminates the most common bypass
• Deploy Microsoft Authenticator with number matching enabled — more resistant to MFA fatigue attacks than SMS
• Apply phishing-resistant MFA (FIDO2 or Windows Hello) to admin accounts
• Communicate the rollout to staff in advance — MFA prompts without warning create helpdesk volume and user frustration

How AMVIA Can Help

AMVIA deploys and manages MFA for UK businesses as part of its Microsoft 365 security service. We configure Conditional Access policies, deploy Microsoft Authenticator to all user devices, manage the rollout process to minimise disruption, and handle helpdesk support for MFA-related issues. For businesses that need hardware security keys for admin accounts, AMVIA can procure and configure FIDO2 keys. Contact AMVIA on 0333 733 8050.