Multi-factor authentication is the single highest-return security control available to a small business. Microsoft's own data from millions of accounts shows it blocks over 99% of credential-based account compromise attacks. Yet many BC businesses still don't have MFA fully deployed, often because the rollout feels technically complex, politically difficult with senior staff who resist the extra step, or both. Here's how to do it right.
Why MFA Is Not Optional in 2026
Three reasons this has moved from "best practice" to "baseline requirement":
- Credential exposure is constant. Passwords leak through phishing, data breaches at third-party services your staff use, and password reuse. Without MFA, a stolen password is all an attacker needs.
- Cyber insurance requires it. Most cyber insurance questionnaires now ask specifically whether MFA is enforced on email, VPN, and admin access. Answering "no" to any of these produces a policy exclusion or a declined application.
- Microsoft Entra Security Defaults, Microsoft's baseline for M365 tenants, enforces MFA for all users. If you're on M365 and haven't configured this, you're one default-settings audit away from a policy change you didn't plan for.
Step 1: Audit Your Account Inventory
Before enabling anything, know what accounts exist in your Microsoft 365 tenant. Go to the Microsoft 365 Admin Centre and run an active user export. Include:
- Active licensed users
- Guest accounts
- Shared mailboxes (these need attention, see below)
- Service accounts
- Admin accounts (most critical)
Disable or remove inactive accounts. Every dormant account, a former employee's account still active three months after departure, is an attack surface with no MFA on it.
Shared mailboxes: Shared mailboxes in M365 don't require a license and can't typically complete MFA prompts directly. Ensure all shared mailboxes are accessed via licensed user accounts with MFA enforced. Direct login to shared mailboxes should be blocked.
Step 2: Choose Your MFA Method
For Microsoft 365, the recommended methods in order of security strength:
| Method | Security level | Notes |
|---|---|---|
| FIDO2 security key | Phishing-resistant | Best for admins and high-risk users |
| Microsoft Authenticator (number match) | Strong | Recommended for all users |
| Authenticator app (TOTP) | Strong | Works without push notification |
| SMS one-time code | Moderate | Vulnerable to SIM-swapping; avoid for admin accounts |
| Voice call | Moderate | Avoid where possible |
Recommendation for most BC SMBs: Microsoft Authenticator with number matching for all users. FIDO2 keys for all admin accounts. Explicitly block SMS and voice for admin roles.
The number matching feature, where the user must type the number shown on the login screen into their Authenticator app, prevents MFA fatigue attacks (where an attacker sends repeated push notifications hoping the user approves one by accident).
Step 3: Enforce MFA via Conditional Access
Conditional Access (available in M365 Business Premium and higher) gives you policy-based control over who can access what and under what conditions.
Recommended policies for SMBs:
- Require MFA for all users, applies to every sign-in from every location
- Block legacy authentication, older protocols (IMAP, POP3, basic auth) bypass MFA entirely; block them
- Require compliant device for admin roles, admins must be on a managed, compliant device to access admin portals
- Block sign-ins from unexpected countries, if you don't do business in a region, block logins from it
If you're on Microsoft 365 Business Basic or Standard (which don't include Conditional Access), use Security Defaults at minimum. It enforces MFA for all users, though without the granular policy options.
Step 4: Communicate and Train Before You Enforce
The rollout fails when users are surprised. Two weeks before enforcement:
- Send an email from leadership explaining what MFA is, why you're implementing it, and what staff need to do
- Provide a one-page guide for setting up the Microsoft Authenticator (or link to Microsoft's own documentation)
- Schedule brief optional setup sessions, 15 minutes, in-person or on Teams, for staff who want help
- Set up a helpdesk ticket category for MFA setup issues
On enforcement day, plan for a spike in helpdesk tickets. That's normal. It lasts two to three business days as the last few users work through setup.
Step 5: Handle Exceptions Properly
Every rollout surfaces someone who claims they can't use MFA, an executive who refuses, a staff member without a smartphone. Handle these case by case:
- No smartphone: Microsoft Authenticator can be set up on a tablet. FIDO2 keys work without a phone. Hardware tokens are available. "I don't have a phone" is not an acceptable exemption, it has a solution.
- Executive resistance: The named exception for the CEO is the same as a permanent security hole. Compromised executive accounts are the most damaging. Present the cyber insurance implications.
- Legacy line-of-business apps that break: Some applications can't handle MFA. Use service accounts with narrow permissions, certificate-based auth, or modernise the application. Document these as known exceptions with a remediation plan.
Frequently Asked Questions
Will MFA affect our VPN? It should. Your VPN should require MFA for authentication, this is one of the specific questions on most cyber insurance questionnaires. Most modern VPN solutions support RADIUS with MFA or SAML-based authentication through Entra ID.
How long does a typical 20-person rollout take? With preparation, the technical enablement takes one to two days. The communication and user onboarding period takes one to two weeks. Budget two weeks from announcement to full enforcement.
Talk to a Prince George-based IT team about rolling out MFA across your organisation, call 672-983-1174 or book a free assessment at northstarit.ca.
Need help rolling out MFA company-wide?
North Star handles MFA deployments for BC SMBs, including user communication, Conditional Access setup, and exception management. Get started with a free assessment.
Get a Free Assessment Read more InsightsServices mentioned in this post.
Frequently asked questions
What is the best way to start an MFA setup for business?
The most effective start is auditing your current environment to identify every access point, from email to VPNs. Next, select an authentication method that balances security with ease of use, such as mobile push notifications or hardware tokens. Partnering with a managed service provider ensures your configuration follows industry best practices. This helps avoid common pitfalls during the initial deployment phase and secures your organisation against the most frequent types of cyber attacks.
How does an MFA rollout policy improve security?
An MFA rollout policy provides a formal framework for how authentication is enforced across the company. It defines which users require specific factors, how to handle lost devices, and the timeline for implementation. By standardising these procedures, you reduce the risk of human error and ensure that no accounts are left unprotected. A clear policy also helps with regulatory compliance and cyber insurance requirements by demonstrating a commitment to proactive data protection.
Which MFA methods are most secure for SMBs?
While SMS-based codes are better than no MFA, they are vulnerable to SIM swapping. For SMBs, we recommend app-based push notifications or FIDO2-compliant hardware keys. These methods provide stronger protection against phishing and man-in-the-middle attacks. Our team helps businesses across BC and Alberta evaluate their specific risk profile to choose the most appropriate and cost-effective method for their workforce, ensuring both high security and high user satisfaction during the transition.
Can MFA help with insurance compliance in Canada?
Yes, most cyber insurance providers in Canada now mandate MFA for remote access and administrative accounts as a condition for coverage. Implementing a robust MFA setup for business not only lowers your risk profile but can also help reduce insurance premiums. By following a structured rollout guide, you can provide the necessary documentation to insurers, proving that your business has taken essential steps to mitigate the risk of data breaches and unauthorised system access.