How to Set Up Multi-Factor Authentication (MFA) in Microsoft 365

Why MFA Is Essential for Microsoft 365

Multi-factor authentication is the single most impactful security control any UK business can implement for its Microsoft 365 environment. The majority of Microsoft 365 account compromises begin with stolen or guessed passwords — phishing campaigns harvest credentials at industrial scale, credential stuffing attacks try passwords leaked from other services, and password spray attacks systematically try common passwords against large numbers of accounts. Without MFA, a stolen password is all an attacker needs to access email, SharePoint, Teams, and OneDrive as if they were the legitimate user.

Microsoft reports that MFA blocks over 99% of account takeover attacks. The UK's National Cyber Security Centre (NCSC) recommends MFA as one of the most important cybersecurity controls for any organisation. With 43% of UK businesses experiencing a cybersecurity breach in 2025 (Department for Science, Innovation and Technology) and 85% of businesses that experienced a breach identifying phishing as the attack vector (DSIT Cyber Security Breaches Survey 2025), the case for MFA is unambiguous — it is not optional for any organisation handling business data in Microsoft 365.

Microsoft 365 is used by over 1 million UK businesses (Microsoft), yet a significant proportion have not implemented MFA correctly, leaving their accounts vulnerable to credential-based attacks that MFA would have prevented. This guide explains the correct approach to deploying MFA in Microsoft 365, the critical difference between legacy per-user MFA and Conditional Access-based MFA, and the steps involved in a successful rollout.

How MFA Works in Microsoft 365

When MFA is required, signing in to Microsoft 365 involves two verification steps. The first factor is the user's password — something they know. The second factor is an additional verification method — something they have or something they are. The available second-factor methods in Microsoft 365 include:

• Microsoft Authenticator app (recommended): A push notification or number matching prompt sent to the user's smartphone. The user approves the authentication request or enters a displayed number to confirm their identity.
• Time-based one-time code (TOTP): A six-digit code generated by an authenticator application that changes every 30 seconds. Compatible with Microsoft Authenticator and other TOTP-compatible apps.
• FIDO2 hardware security key (most secure): A physical device such as a YubiKey that the user plugs into their computer or taps against their phone. This method is phishing-resistant because it is bound to the legitimate authentication endpoint and cannot be intercepted by adversary-in-the-middle attacks.
• Windows Hello for Business: Biometric authentication (fingerprint or facial recognition) or PIN tied to the specific device. Also phishing-resistant.
• SMS code (least secure): A one-time code sent via text message. Better than no MFA, but vulnerable to SIM swapping attacks and real-time interception through adversary-in-the-middle phishing.
• Phone call: An automated call requiring the user to press a key to confirm. Similar security limitations to SMS.

Microsoft Authenticator is the recommended MFA method for most business users. Since 2023, Microsoft has enabled number matching by default — the user must enter a specific two-digit number displayed on the sign-in screen into the Authenticator app, rather than simply tapping an approve button. This prevents MFA fatigue attacks (also called push bombing), where attackers repeatedly send approval requests hoping the user will tap approve out of frustration or confusion. The app also displays the application and geographic location of the authentication request, helping users identify requests they did not initiate.

The Correct Way to Enable MFA: Conditional Access

Microsoft 365 provides two distinct mechanisms for enabling MFA, and the difference between them is critical for security. Legacy per-user MFA settings are accessed through the Microsoft 365 user management portal and apply MFA on an individual user basis. Conditional Access policies are configured in Microsoft Entra ID and apply MFA based on configurable conditions. AMVIA strongly recommends Conditional Access over per-user MFA for every deployment.

Why Per-User MFA Is Inadequate

Legacy per-user MFA settings have a critical weakness: they can be bypassed. Legacy email protocols — IMAP, POP3, and basic SMTP authentication — do not support modern authentication and will authenticate using just a password, regardless of whether per-user MFA is enabled for the account. An attacker with stolen credentials can simply use these legacy protocols to authenticate and access the mailbox, completely circumventing the MFA requirement. Microsoft reports that over 99% of password spray attacks target these legacy authentication endpoints specifically because they bypass MFA.

Why Conditional Access Is the Right Approach

Conditional Access enforces MFA at the policy level and simultaneously blocks legacy authentication protocols, eliminating the bypass entirely. Beyond simply requiring MFA, Conditional Access adds contextual intelligence to authentication decisions — it can require MFA for all applications or only for specific high-sensitivity applications, apply stricter requirements when the sign-in risk is elevated, require device compliance before granting access, and enforce location-based policies that apply different requirements based on where the user is connecting from.

Full Conditional Access requires Entra ID P1, which is included in Microsoft 365 Business Premium. For organisations on Business Basic or Standard, Security Defaults provides a simplified set of pre-configured policies that enforce MFA for all users and block legacy authentication — a significant improvement over no MFA, though without the granular control that Conditional Access offers.

Protecting Admin Accounts with Stronger MFA

Admin accounts are the highest-value targets in any Microsoft 365 environment. A compromised Global Administrator account gives an attacker unrestricted access to the entire tenant — every mailbox, every file, every security setting. Admin accounts must receive stronger MFA than standard user accounts, and additional controls beyond MFA alone.

AMVIA recommends phishing-resistant MFA for all admin accounts — either FIDO2 hardware security keys or Windows Hello for Business. Unlike app-based MFA, phishing-resistant methods cannot be intercepted through adversary-in-the-middle phishing attacks, where an attacker creates a convincing replica of the Microsoft sign-in page and proxies the authentication in real time, capturing both the password and the MFA response.

Combined with Privileged Identity Management (PIM), which limits admin role activation to specific, time-limited sessions with written justification and approval workflow, admin accounts become significantly more resistant to compromise. Only 14% of UK businesses have a formal incident response plan (DSIT 2025), making preventative controls for admin accounts especially important — preventing admin account compromise is far preferable to trying to respond to one.

Planning and Executing an MFA Rollout

Rolling out MFA to an existing Microsoft 365 environment requires careful planning to avoid disrupting productivity whilst ensuring comprehensive coverage. AMVIA follows a structured rollout process for every MFA deployment:

• Communication first: Staff are informed about what is changing, why MFA is being implemented, and what they need to do. MFA prompts appearing without warning create helpdesk volume, user frustration, and resistance to adoption.
• Deploy Microsoft Authenticator: The Authenticator app is installed on all user devices before MFA enforcement begins. Users register their MFA methods through a guided setup process during a defined registration window.
• Report-only mode: New Conditional Access policies are deployed in report-only mode first, logging what the policy would have done without actually enforcing it. This identifies users, devices, or applications that would be affected, allowing any issues to be addressed before enforcement.
• Pilot group enforcement: MFA is enforced for a pilot group — typically IT staff and willing early adopters — to validate the experience and identify any operational issues in a controlled environment.
• Full rollout: MFA enforcement is expanded to the entire user population, with helpdesk support available to assist users who encounter issues during the transition.
• Legacy authentication blocking: Legacy authentication protocols are blocked via Conditional Access simultaneously with or shortly after MFA enforcement. Applications and devices using legacy authentication — older email clients, printers, scanners — are identified and migrated to modern authentication before blocking is enforced.

Common MFA Rollout Challenges

Several common challenges arise during MFA deployment that should be anticipated and planned for. Users without smartphones need an alternative MFA method — FIDO2 hardware keys, phone call verification, or TOTP codes generated by a desktop application can serve as alternatives. Shared accounts and service accounts that cannot complete interactive MFA require specific handling — options include managed identities, application passwords for legacy applications, or Conditional Access exclusions with documented risk acceptance.

Applications that use legacy authentication protocols — older versions of Outlook, multifunction printers that scan to email, line-of-business applications that connect to Exchange via IMAP — must be identified and addressed before legacy authentication is blocked. AMVIA conducts a legacy authentication audit as part of every MFA deployment, identifying these dependencies and providing a remediation path for each one.

Key Considerations for UK SMEs

• Enforce MFA through Conditional Access, not per-user settings — Conditional Access provides reliable, bypass-resistant enforcement with additional contextual controls
• Block legacy authentication simultaneously with or shortly after MFA enforcement — this eliminates the most commonly exploited bypass route
• Deploy Microsoft Authenticator with number matching enabled — significantly more resistant to MFA fatigue attacks than simple push notifications or SMS codes
• Apply phishing-resistant MFA (FIDO2 or Windows Hello for Business) to all admin accounts — preventing adversary-in-the-middle interception
• Communicate the rollout to staff in advance and provide clear instructions — user adoption is as important as technical configuration

How AMVIA Can Help

AMVIA deploys and manages MFA for UK businesses as part of its Microsoft 365 security service. We configure Conditional Access policies, deploy Microsoft Authenticator to all user devices, manage the rollout process to minimise disruption, conduct legacy authentication audits to identify and resolve dependencies, and handle ongoing helpdesk support for MFA-related issues. For businesses that need hardware security keys for admin accounts, AMVIA can procure and configure FIDO2 keys. Our cybersecurity team ensures that MFA deployment is part of a comprehensive security strategy, not an isolated configuration change. Contact AMVIA on 0333 733 8050.