Turn On MFA Everywhere: The 30-Minute Project That Stops Most Breaches

Most business account breaches do not involve sophisticated hacking. An attacker obtains a password — through a phishing email, a data breach at another site, or an educated guess — and walks straight in. Multi-factor authentication (MFA) breaks that pattern by requiring a second proof of identity, typically a push notification or a six-digit code from a phone app, before access is granted.

Summary: Multi-factor authentication blocks most account-takeover attacks by requiring a second verification step beyond a password. Microsoft 365 Business Premium includes Security Defaults and Conditional Access, either of which enforces MFA across your entire organization in under 30 minutes. No additional software or licenses are required.

If your firm operates in law, healthcare, finance, or professional services, your clients and regulators have reasonable expectations that you have this control in place. The practical barrier is lower than most people expect: Business Premium includes everything you need, and the configuration lives in a browser-based admin portal.

Which built-in tool should you use?

Business Premium gives you two paths to MFA enforcement. They are not interchangeable, and you cannot run both at once.

Security Defaults

Security Defaults is Microsoft's baseline setting. Flipping it on tells your tenant to require every user — including administrators — to register for MFA and complete a second-factor check at sign-in. There are no configuration options: it applies to everyone, always.

Best for: Firms that have no MFA in place today and want protection live before the end of the day.

Limitation: No exceptions are possible. Service accounts, legacy integrations, and users who need different rules cannot be carved out. If that matters to your environment, use Conditional Access instead.

Conditional Access

Conditional Access is also included in Business Premium through the bundled Azure Active Directory Premium P1 license. It lets you write policies — for example, require MFA for all users signing in from outside the office network, or block access entirely from high-risk locations. It takes more time to configure correctly but gives you the control that regulated environments often require.

Best for: Firms that are already on Security Defaults and want more precise rules, or any firm with specific compliance obligations around access control.

Note: Enabling Conditional Access requires you to disable Security Defaults first. Do this deliberately, not by accident.

The 30-minute checklist

Work through these steps in order. You need a Global Administrator account to proceed.

1. Create a backup admin account before touching anything. Confirm you have at least two Global Administrator accounts with different email addresses. If MFA locks you out of one, you need a second path back in.
2. Choose your path: Security Defaults or Conditional Access. If nothing is configured today, start with Security Defaults. Move to Conditional Access later if your environment demands it.
3. Enable Security Defaults (if that is your path). Go to entra.microsoft.com → Identity → Overview → Properties → Manage Security Defaults. Toggle the setting to Enabled and save. That is the entire process.
4. Or create a Conditional Access policy (if that is your path). In the Entra admin center, go to Protection → Conditional Access → New policy. Microsoft provides built-in policy templates, including one called "Require multifactor authentication for all users," which covers most firms without custom configuration. Enable it in report-only mode first to see who is not yet registered before switching to enforcement.
5. Notify your staff before the change takes effect. Users will be prompted to register for MFA at their next sign-in. A short email explaining what they will see — and linking to Microsoft Authenticator on the App Store or Google Play — reduces help-desk calls significantly.
6. Set a registration deadline and monitor it. Security Defaults gives users 14 days to register before enforcement begins. Conditional Access in report-only mode lets you review the sign-in logs and follow up with anyone who has not yet registered.
7. Confirm all accounts are covered. In the Entra admin center, review your sign-in logs or per-user MFA status to confirm no accounts slipped through.

Getting your team set up on Microsoft Authenticator

Microsoft Authenticator is the right choice for Business Premium environments. It works on iOS and Android, supports push notifications, and is more resistant to phishing than SMS codes, which can be intercepted through SIM-swapping.

Each staff member needs to do three things:

• Download Microsoft Authenticator from their device's app store.
• Sign in to mysignins.microsoft.com on a computer.
• Select "Add sign-in method," choose "Authenticator app," and follow the QR code prompt.

The process takes about three minutes per person. If someone does not have a smartphone, Business Premium also supports FIDO2 hardware security keys and phone-call verification as alternatives — both configurable in the same portal.

What to expect after MFA is on

On a trusted device, most users are prompted for a second factor once per session — typically once in the morning. Resistance is common in the first few days and fades quickly once the habit forms.

Service accounts and shared mailboxes used by software integrations do not support interactive MFA the same way human accounts do. Conditional Access allows you to exclude these accounts from MFA requirements temporarily while you convert them to more secure authentication methods. Do not leave them unaddressed: unprotected service accounts are a common entry point for attackers.

Once MFA is running, your Microsoft 365 Secure Score — visible in the Microsoft 365 Defender portal — will reflect the improvement and surface the next open items worth addressing.