Multi-factor authentication is the single highest-return security control available to a small business. It stops the majority of credential-based attacks cold. Yet many BC businesses still do not have MFA deployed across all accounts - often because the rollout feels technically complex or politically difficult. Here is a step-by-step guide.
Why MFA Matters More Than Any Other Control
According to Microsoft's own telemetry, MFA blocks over 99 percent of account compromise attacks. Credentials are leaked constantly - through phishing, data breaches at third-party sites, and password reuse. Without MFA, a stolen password is all an attacker needs. With MFA, a stolen password is useless without the second factor.
Cyber insurance providers now ask specifically whether MFA is enforced on email, VPN, and remote access. Answering 'no' to any of these can result in policy exclusions or declined coverage. MFA is no longer optional for insurable businesses.
Step 1: Audit Your Account Inventory
Before you can enable MFA, you need to know what accounts exist. Run a user audit in Microsoft 365: active users, guest users, shared mailboxes, service accounts, and admin accounts. Categorise each one by risk level. Admin accounts are highest priority.
Disable or license-remove inactive accounts. Every dormant account is an attack surface. If a former employee's account is still active and not covered by MFA, it is a vulnerability.
Step 2: Choose Your MFA Method
In Microsoft 365, the recommended MFA methods in priority order are: Microsoft Authenticator app (push notification or passwordless), hardware FIDO2 keys (YubiKey), software TOTP apps (Google Authenticator, Authy), and SMS OTP as a last resort. SMS is the weakest option due to SIM-swapping attacks but is better than nothing.
For most BC SMBs, Microsoft Authenticator is the right default. It is free, integrated into M365, and supports number matching which blocks push fatigue attacks.
Step 3: Enforce via Conditional Access
In M365 Business Premium, use Conditional Access to require MFA for all users, not just admins. Set the policy to require MFA when signing in from any location, and block legacy authentication protocols (SMTP AUTH, IMAP, POP3) which cannot use MFA.
If you are on M365 Business Basic or Standard, use Security Defaults to enable per-user MFA. It is less granular than Conditional Access but it covers the basics and is enabled with two clicks.
Step 4: Communicate and Train
MFA rollout fails when users are surprised. Communicate in advance: what is changing, when it takes effect, and how to set up the authenticator app. Offer a 10-minute setup session for anyone who needs help. The support overhead on day one is small compared to the risk reduction.
Create a short written guide specific to your authenticator app. Include screenshots. Distribute it before the enforcement date. A well-supported rollout has far fewer support tickets than a silent one.
Step 5: Handle Exceptions Properly
Some service accounts and shared mailboxes cannot use interactive MFA. Handle these with app passwords or modern authentication flows, and document each exception with a business justification. Do not allow exception creep - every exemption is a risk.
Review your exception list quarterly. Service accounts that no longer exist should be deleted. Exceptions that have outgrown their justification should be brought into compliance.