Short answer: Multi-factor authentication (MFA) makes users prove their identity with a second factor — usually an authenticator-app approval or a passkey — on top of their password, so a stolen password alone can't get an attacker in. To turn it on in Microsoft 365, the simplest path is to enable security defaults in the Entra admin centre, which requires MFA for all users. If you have Business Premium, use conditional access instead for more control. Roll it out to administrators first, give staff a heads-up, and prefer an authenticator app over SMS.
What MFA actually is
Authentication factors come in three kinds: something you know (a password), something you have (a phone, an authenticator app, a passkey/security key), and something you are (a fingerprint or face). MFA simply means requiring at least two of these. In practice, for most businesses, it's your password plus an approval on your phone.
The value is straightforward: passwords get phished, reused and leaked constantly. MFA means that even when a password is stolen, the attacker is stopped at the second factor. It's widely regarded as the highest-impact single security control a small business can turn on.
Which method to use
Not all second factors are equal:
- Passkeys / security keys — the strongest and most phishing-resistant option, increasingly supported across Microsoft 365.
- Authenticator app with number matching — very strong and the practical default for most teams. Number matching stops "MFA fatigue" attacks where a user blindly taps approve.
- One-time codes (TOTP) — good, works offline, fine as a widely available option.
- SMS text codes — better than nothing, but the weakest option: vulnerable to SIM-swap and interception. Keep it only as a fallback.
Rule of thumb: default everyone to the Microsoft Authenticator app (with number matching) or passkeys. Reserve SMS for the rare user who genuinely can't use an app, and plan to move them off it.
How to turn on MFA in Microsoft 365
There are two supported paths. Pick one based on your licence.
Path A — Security defaults (any plan, simplest)
- Sign in to the Microsoft Entra admin centre as a Global Administrator.
- Go to Identity → Overview → Properties (or Identity → Protection depending on your portal).
- Open Manage security defaults and set it to Enabled, then save.
- All users are now prompted to register for MFA at their next sign-in. Legacy authentication is blocked automatically as part of security defaults.
Security defaults are free, apply to everyone, and are the right choice for most small businesses without special requirements.
Path B — Conditional access (Business Premium, more control)
- Confirm you have Microsoft 365 Business Premium (or an Entra ID P1/P2 plan). Conditional access needs it.
- In the Entra admin centre go to Protection → Conditional Access.
- Create a policy that targets All users (with a break-glass account excluded), for All cloud apps, granting access only if MFA is completed.
- Create a second policy to block legacy authentication explicitly.
- Start each policy in report-only mode, review the impact, then switch to On.
Conditional access lets you require MFA based on location, device compliance, sign-in risk and app — for example, always challenge admins, or challenge sign-ins from outside Australia.
Roll it out without breaking your week
- Admins first. Enable and test MFA on administrator accounts before touching everyone else.
- Warn users ahead of time. Send a short note explaining they'll be asked to set up an app, with a link to Microsoft's setup steps. Surprise MFA prompts generate help-desk tickets and mistrust.
- Create a break-glass account. One emergency-access account excluded from your MFA policy, with a long password stored securely, so you can never lock yourself out of your own tenant.
- Register two methods per user. An app plus a backup (a second device or codes) so a lost phone doesn't lock someone out.
- Block legacy authentication. If you don't, older mail clients and protocols can bypass MFA entirely — undoing the whole exercise.
The gotchas nobody warns you about
- Shared mailboxes and service accounts. A shared mailbox shouldn't have interactive sign-in; app/service accounts need a plan (conditional access exclusions, managed identities, or app passwords only where unavoidable). Don't just exempt them and forget.
- Multifunction printers & line-of-business apps that send email via SMTP often rely on legacy auth. Identify these before you block legacy authentication, and move them to a supported method.
- Lost or replaced phones. Have a documented process for re-registering MFA, or users will be locked out on upgrade day.
- MFA fatigue. Attackers spam approval prompts hoping a tired user taps "approve". Number matching in the Authenticator app defeats this — make sure it's on.
- SMS as the only method. Convenient, but the weakest link. Treat app/passkey as default and SMS as fallback only.
Frequently asked questions
What is multi-factor authentication?
MFA requires a second proof of identity in addition to your password — typically an approval in an authenticator app, a passkey, or a one-time code. Because an attacker would need both your password and your second factor, a stolen or guessed password is no longer enough to get in.
Is an authenticator app or SMS better?
An authenticator app or a passkey is stronger than SMS. Text-message codes can be intercepted or redirected via SIM-swap, and are more easily phished. Use the Microsoft Authenticator app with number matching, or passkeys, as the default and keep SMS only as a last-resort fallback.
Does MFA cost extra in Microsoft 365?
Basic MFA is available on every Microsoft 365 plan at no extra cost through security defaults. Conditional access, which gives you finer control over when and how MFA is required, needs Business Premium or an equivalent Entra ID plan.
Want your Microsoft 365 security checked and locked down properly?
That's what SG1 Consulting does — MFA and conditional access rolled out cleanly, legacy auth closed off, break-glass and printers handled, for Australian businesses.
Talk to SG1 →