If you're running a UK SME and your Cyber Essentials assessment is looming, there's one security measure you absolutely can't skip: Multi-Factor Authentication (MFA) on Microsoft 365. It's not just a nice-to-have anymore, it's a fundamental requirement that assessors will check, and for good reason. MFA blocks 99.9% of automated attacks, even when passwords are compromised.
Let's cut through the confusion and get your MFA implementation sorted properly, without the headaches.
Why MFA Is Non-Negotiable for Cyber Essentials
The UK government and Cyber Essentials assessors have made their position crystal clear: MFA is a critical security control. You can have the strongest passwords in the world, but if someone phishes your finance manager's credentials, you're one click away from a data breach.
MFA adds that crucial second layer. Even if attackers steal passwords through phishing, keyloggers, or database breaches, they still can't access your systems without that second authentication factor, typically a code from a mobile app or text message.
For your Cyber Essentials assessment, assessors will specifically verify that MFA is enabled across your Microsoft 365 tenant, particularly for admin accounts and anyone accessing sensitive data.
Before You Start: The Pre-Implementation Checklist
Don't just flip the MFA switch and hope for the best. A bit of preparation prevents support nightmares later.
You'll need:
- Global Administrator access to your Microsoft 365 tenant
- A complete list of all users, their roles, and devices they use
- An inventory of third-party systems that connect to Microsoft 365 (CRM, accounting software, project management tools)
- A decision on Security Defaults versus Conditional Access (we'll explain both)
- A plan for storing backup recovery codes securely offline
- A clear communication strategy for your staff
The last point is crucial. Staff who aren't warned about MFA can panic when they suddenly can't access email. A simple email explaining what's happening, why it matters, and how to set it up goes a long way.
Two Paths to MFA: Which Should You Choose?
Microsoft gives you two main approaches to enforcing MFA across your organization.
Security Defaults: The Express Lane
Best for: Micro businesses with 1-10 users who want the simplest possible setup.
Security Defaults is Microsoft's one-click MFA solution. It enforces MFA for everyone with no exceptions and no complex configuration needed. You turn it on, and everyone gets prompted to set up MFA the next time they sign in.
The downside? Zero flexibility. Everyone gets MFA all the time, even when they're sat at their desk in your office. For very small teams, this is fine. For larger organizations, it can feel heavy-handed.
Conditional Access: The Smart Choice for Most SMEs
Best for: Businesses with 10+ employees or those needing flexibility while maintaining security.
Conditional Access lets you create intelligent policies. For example, you can require MFA only when staff sign in from outside your office network, or apply stricter rules to admin accounts while being more lenient with general users.
This is what we recommend for most UK SMEs. Yes, it requires a bit more setup time, but the flexibility is worth it: and your staff will thank you for not making them authenticate fifteen times a day when they're already in the office.
The Four-Hour Fast-Track Implementation
If you're working against the clock before an assessment, here's a realistic timeline for implementing MFA across a business with up to 50 employees:
Hour 1: Planning and Audit
Map out all your systems, users, and potential compatibility issues. Identify which approach (Security Defaults or Conditional Access) fits your needs.
Hour 2: Configure Microsoft 365
Set up MFA on your Microsoft 365 tenant, starting with your own admin account.
Hour 3: Test Critical Systems
Verify that your accounting software, CRM, and other key applications still work properly with MFA enabled.
Hour 4: Staff Training and Documentation
Walk your team through the setup process and create simple documentation they can reference later.
For larger organizations, add another hour or two for coordination across departments.
Step-by-Step: Setting Up MFA Properly
Start With Your Admin Account
Never enable MFA for your entire organization before testing it on your own admin account first. This takes about 30 minutes and prevents you from locking yourself out.
- Sign in to the Microsoft 365 admin center
- Go to Users > Active users
- Select your admin account
- Click Manage multi-factor authentication
- Enable MFA and set up the Microsoft Authenticator app on your phone
- Store your backup codes somewhere secure and offline (not in your email)
Once your own account works perfectly, move forward with the organization-wide rollout.
Organization-Wide Enforcement Using Conditional Access
For most UK SMEs, Conditional Access strikes the right balance. Here's how to configure it:
- Navigate to the Azure Active Directory admin center (https://aad.portal.azure.com)
- Go to Security > Conditional Access
- Click + New policy
- Name it something clear like "Require MFA for All Users"
- Under Assignments > Users, select all users
- Under Cloud apps or actions, select your Microsoft 365 services
- Under Grant controls, tick "Require multi-factor authentication"
- Critical step: Set the policy to Report-only mode initially
- Monitor the report-only results for a few days to spot any issues
- Once you're confident, change the policy to On
This report-only phase lets you identify problems before they impact your business operations. Maybe you discover that your warehouse scanner app doesn't support MFA, or that your finance director uses an ancient email client. Better to find out in report-only mode than when she's trying to process payroll.
The Phased Rollout Approach (Lower Risk, Better Results)
Rather than switching on MFA for everyone simultaneously and creating chaos, try this three-week rollout:
Week 1: Pilot with IT Staff
Enable MFA for yourself and any other tech-savvy team members. Document issues with legacy applications. Update your support documentation. Start communicating the rollout to the wider team.
Week 2: Management and Sensitive Roles
Roll out to managers and anyone handling financial or personal data. Incorporate feedback from Week 1. Prepare staff for full deployment.
Week 3: Full Organization Rollout
Enable MFA for all remaining users. By now, you've ironed out most issues and staff know what's coming.
This approach dramatically reduces support tickets and user frustration.
Smart Conditional Access Policies for UK SMEs
Once you've got the basics sorted, consider these more sophisticated policies:
- Block legacy authentication entirely. Old email protocols that don't support MFA are security nightmares and offer minimal business value in 2026.
- Require MFA for external sign-ins only while allowing simpler authentication from your office network (if appropriate for your risk level).
- Apply stricter rules to admin accounts. Your global administrator account should always require MFA, regardless of location or device.
- Enforce device compliance. For sensitive data access, require that devices meet basic security standards.
These policies let you maintain strong security without making everyday work unnecessarily difficult.
What About Services That Don't Support MFA?
You'll inevitably discover some third-party application that hasn't caught up with modern security standards. You have three options:
Option 1: Use Single Sign-On (SSO)
Link the service to Microsoft 365 so MFA is enforced at the SSO level, even if the service itself doesn't natively support it.
Option 2: Pressure the Vendor
Contact their support team and explicitly request MFA. When enough customers demand it, vendors listen.
Option 3: Replace the Service
If a critical business application lacks basic MFA support in 2026, the vendor isn't taking security seriously. Find a competitor who is.
Common Implementation Mistakes to Avoid
Learn from others' mistakes:
- Skipping MFA on admin accounts. If you protect nothing else, protect accounts with administrative privileges.
- Not storing backup codes properly. When someone loses their phone, you need those codes. Store them securely offline.
- Inadequate user training. Staff who understand why MFA matters are far more compliant.
- Forgetting to test legacy applications. That ancient warehouse management system might not support modern authentication.
- Enabling MFA everywhere at once without testing. Use report-only mode first.
Your Action Plan: Start Today
In the next 10 minutes:
Create your user inventory and decide between Security Defaults and Conditional Access. Bookmark the Microsoft 365 admin center.
This week:
Enable MFA on your admin account and all privileged accounts. Begin communicating the rollout to your team. Test Conditional Access in report-only mode.
Within two weeks:
Begin your phased rollout with IT staff and early adopters. Monitor for issues and gather feedback.
By the end of the month:
Achieve 100% MFA coverage across your organization. Complete testing of all recovery procedures.
Pre-Assessment Checklist
Before your Cyber Essentials assessment, verify:
- ✓ All admin accounts have MFA enabled with recovery methods configured
- ✓ All users have MFA enabled
- ✓ Legacy authentication is disabled organization-wide
- ✓ At least one emergency admin account exists with credentials stored securely offline
- ✓ Audit logging is enabled
- ✓ Staff have received MFA training
- ✓ Recovery procedures have been tested
- ✓ Documentation clearly shows who has admin access
MFA isn't just a compliance checkbox: it's the single most effective security measure you can implement. The initial setup requires some effort, but the protection it provides against password-based attacks is invaluable.
Need help implementing MFA or preparing for your Cyber Essentials assessment? Get in touch with our team and we'll walk you through the entire process, ensuring your implementation is both secure and practical for your business operations.
Leave a Reply