MFA is no longer optional — here's how to roll it out without disrupting your team

Why MFA matters more than almost anything else

If you only do one thing to improve your organisation's security this year, enable multi-factor authentication on every account. No other single control comes close to the impact MFA has on your exposure to account compromise attacks.

Microsoft's own data shows that MFA blocks more than 99.9% of automated account attacks. Phishing attempts, credential stuffing, password spraying — all of them become largely ineffective the moment a second factor is required. And yet a significant proportion of small businesses either haven't deployed it at all, or have deployed it inconsistently with gaps that attackers can exploit.

What counts as MFA?

MFA means requiring something you know (your password) plus something you have or are. In practice for most businesses, this means an authenticator app on your phone that generates a time-based code, or a push notification you approve.

SMS-based codes (a text message with a 6-digit number) technically count as MFA but are significantly weaker — SIM swapping attacks can intercept them. For most small businesses SMS is still better than nothing, but an authenticator app like Microsoft Authenticator is meaningfully more secure and just as easy to use.

Hardware keys (like YubiKey) are the strongest option but typically overkill for most small business users — worth considering for admin accounts and high-value targets.

The common rollout mistakes

Most MFA rollout problems come from doing it too fast, too inconsistently, or without proper communication. The most common issues we see:

Enabling MFA globally with no notice. Users arrive on Monday morning unable to log in without an app they haven't set up. This causes panic, helpdesk overload, and immediate pressure to turn MFA off again.

Leaving exceptions in place indefinitely. Shared mailboxes, service accounts, and the boss who "doesn't want the hassle" become the path of least resistance for attackers. One unprotected account undermines the whole deployment.

Not having a recovery plan. What happens when someone loses their phone? If you haven't thought through the recovery process before rollout, you'll be figuring it out under pressure when it happens.

A practical rollout approach

The approach we use with clients is straightforward and minimises disruption:

Week 1 — communicate and prepare. Tell your team what's happening, why, and when. Send a clear email explaining that MFA is being enabled, what they'll need to do (download Microsoft Authenticator, register their device), and when the deadline is. Give people at least a week's notice.

Week 2 — registration period. Enable MFA in registration mode — users are prompted to set it up when they next log in but aren't blocked yet. This gives everyone a chance to get set up without a hard deadline pressure. Chase anyone who hasn't registered by the end of the week.

Week 3 — enforce. Switch MFA from optional to required. Anyone who hasn't registered will be prompted to do so before they can log in. Have someone available to help with any issues on day one of enforcement.

Ongoing — close the gaps. Audit your accounts for any that don't have MFA. Shared mailboxes should be converted to non-login accounts. Service accounts should use certificate authentication where possible. Review your Conditional Access policies if you're on Microsoft 365 Business Premium.

Handling the pushback

You will get pushback from someone. The most common objections are "it takes too long" and "I don't want to use my personal phone."

On the first: approving a push notification or entering a 6-digit code adds about 10 seconds to login. That's roughly 40 seconds per day for someone who logs in four times. It's not a meaningful burden.

On the second: this is a reasonable concern. Options include providing a dedicated authentication device, using a hardware key, or using FIDO2 passkeys where supported. The important thing is not to grant a blanket exemption — that creates exactly the gap attackers look for.

MFA for Microsoft 365 specifically

If you're on Microsoft 365, enabling Security Defaults is the fastest way to get MFA enforced across your organisation. It's a single toggle in the Azure portal and it requires MFA for all users, blocks legacy authentication, and requires MFA for privileged actions.

For more granular control — letting some users use different MFA methods, or excluding certain scenarios — you need Conditional Access, which requires at least Azure AD Premium P1 (included in Microsoft 365 Business Premium).