MFA That Users Actually Use, Identity Security Without Killing Productivity
Most failed MFA rollouts fail on user experience, not technology. We design the conditional access policies, app integrations, and recovery flows so the security is real and the friction is invisible. Microsoft 365 identity, Duo, or Okta.
The most common reason MFA rollouts fail is not technology, it is user experience. Prompts on every login, no accommodation for corporate devices, poor recovery flows, and an IT team that fields password lockout calls all day. Staff start sharing workarounds. The security evaporates before it ever delivered value.
North Star, based in Prince George, BC, designs MFA and identity management deployments that are secure because they work: Conditional Access policies that prompt when risk is real and step back when it is not, application integrations that produce one login instead of twelve, and recovery flows that are tested before they are needed. Microsoft 365 identity, Duo, or Okta, matched to your environment.
We serve businesses across British Columbia, Alberta, and Yukon.
What Is Identity Security and Why Does It Matter?
Your identity layer, the accounts, passwords, and authentication mechanisms your staff use to access business systems, is the most common entry point for attackers. Compromised credentials account for the majority of breaches. Multi-factor authentication stops most credential-based attacks by requiring something beyond a password, but only if it is deployed correctly and used consistently.
Identity hygiene matters beyond MFA: stale accounts for departed staff, over-privileged service accounts, orphaned application credentials, and unreviewed group memberships are all exploitable paths that exist in almost every organisation that has not run a formal identity review.
North Star manages the full identity stack: MFA deployment, Conditional Access policy design, SSO integration, and quarterly hygiene reviews.
What North Star Delivers
Conditional Access, Smart Prompts, Not Constant Prompts
MFA where the risk warrants it: new device, new location, elevated risk score, or access to sensitive data. Trusted devices on your corporate network skip the extra prompt. Users notice the security controls when they matter and do not notice them when they do not. Fewer calls to helpdesk, better compliance than blanket MFA prompts.
Application Integration, Single Sign-On Done Right
Microsoft 365, Google Workspace, AWS, and your SaaS stack federated to a single identity provider. One login, one MFA prompt, fewer credentials to phish. Application federation documented and tested for each integrated application.
Recovery Flows, Lockouts That Do Not Stop the Business
Account recovery documented and tested before deployment. Help-desk-driven reset with verified identity confirmation, not a self-service reset that bypasses the MFA you just deployed. Recovery procedure reviewed with every staff member during rollout.
Identity Hygiene, Quarterly Review
Stale accounts, over-privileged identities, orphaned service principals, unused app registrations, and guest accounts without active use cases reviewed and cleaned every quarter. Findings documented. Remediation tracked.
Ongoing Monitoring
Sign-in risk alerts, identity protection events, and unusual authentication patterns monitored continuously. Suspicious sign-ins escalated on the same SLA as security incidents.
How It Works
Step 1, Assess
Current identity posture documented: MFA coverage, existing Conditional Access policies, application federation state, and identity hygiene issues. Gap analysis produced before changes are made.
Step 2, Design
Policy set tuned to your risk level and your user population. Phased rollout plan produced so day one is not a helpdesk flood. Recovery procedures documented and agreed.
Step 3, Deploy
Phased enrolment with self-service registration, user communications, and exec-priority support during rollout. Coverage tracked to 100% of accounts.
Step 4, Operate
Continuous sign-in monitoring. Quarterly hygiene review. Conditional Access policies reviewed and updated as your environment evolves.
Who This Is For
- BC, Alberta, or Yukon businesses on Microsoft 365 that have not yet deployed MFA, or deployed it inconsistently
- Organisations whose cyber insurance renewal has flagged MFA as a required control
- Businesses that have had a credential-based breach or account takeover and need to close the gap
- IT managers whose MFA rollout stalled because of user resistance and need a different approach
What buyers ask before they sign
Will MFA slow our staff down?
Properly implemented Conditional Access minimises friction. Trusted devices on your corporate network or compliant managed devices get fewer prompts. The security overhead is concentrated on high-risk scenarios, new devices, new locations, and sensitive data access, where it genuinely matters.
What if staff lose access to their authenticator app?
Recovery procedures are documented and tested before deployment. We do not deploy MFA and hope for the best with recovery. Your helpdesk has a clear, verified recovery process for every scenario.
Do you deploy MFA for all our applications?
We federate as many applications as technically possible to your identity provider so MFA covers the broadest possible range of access with the fewest number of MFA prompts. Some applications do not support federation; we document those and recommend mitigating controls.
What identity platform do you work with?
Microsoft Entra ID (Azure AD) is the most common platform for businesses on Microsoft 365. We also deploy and manage Duo and Okta for organisations that need a platform-independent solution or have non-Microsoft applications to protect.
How do you handle guest or contractor accounts?
Guest and contractor accounts are covered in the identity hygiene review. We apply time-limited access, restricted Conditional Access policies, and periodic access review to ensure contractor accounts do not accumulate standing access beyond their engagement.
Why North Star
North Star is a Prince George-based cybersecurity provider serving businesses across Northern BC, BC, Alberta, and Yukon. We deploy MFA as part of a complete identity management programme, not a one-time project that is never revisited. Conditional Access policies are maintained as your environment evolves. Quarterly hygiene reviews keep your identity layer clean. And our helpdesk handles the recovery calls so MFA rollout does not create a crisis.
Get a quote on mfa & identity.
Tell us a bit about your environment and we'll come back with a scoped proposal in two business days. No obligation, no pressure.
Request a Quote Back to CybersecurityIdentity is the perimeter. MFA is the lock on the door.
The majority of successful cyberattacks against Canadian SMBs start with a compromised credential. A staff member's password is guessed, phished, or purchased from a dark web dump, and the attacker logs in with a valid username and password. If MFA (multi-factor authentication) is not enforced, that is all it takes to get into your Microsoft 365 tenant, your email, your SharePoint files, and potentially your line-of-business applications. Identity management is the practice of ensuring that only the right people can access the right systems, and that you know what is happening when they do.
Most failed MFA rollouts fail on user experience, not technology. Staff find workarounds, disable their authenticator app, or convince IT to add exceptions for specific accounts. The result is a partially implemented MFA policy that provides false confidence. North Star designs MFA deployments with the user experience in front: we configure Conditional Access policies so that MFA prompts appear at the right time (risky sign-ins, new devices, sensitive applications) without interrupting routine work on trusted devices. We use Microsoft Authenticator with number matching and phishing-resistant FIDO2 keys for accounts that warrant it, and we design recovery flows so that a lost phone does not lock a staff member out permanently.
MFA and identity management deliverables.
- MFA deployment: Microsoft Authenticator with number matching enforced for all Microsoft 365 accounts. Phishing-resistant FIDO2 keys for privileged admin accounts.
- Conditional Access policy design: risk-based MFA prompts, compliant device requirements, geographic and IP-based restrictions, and legacy authentication blocking.
- Identity hygiene review: audit of all user accounts, admin accounts, service accounts, and shared mailboxes. Identifies inactive accounts, overprivileged accounts, and accounts without MFA.
- Privileged access management: just-in-time admin access using Entra ID Privileged Identity Management (PIM). Global admin rights are not permanently assigned.
- Risky sign-in monitoring: Entra ID Identity Protection configured to flag and block sign-ins from unfamiliar locations, anonymizing proxies, and known malicious IP ranges.
- Recovery flow design: documented process for account recovery when a staff member loses their authenticator. Secure enough to resist social engineering, practical enough not to create a week-long IT ticket.
- Guest access review: audit of external collaborator (guest) accounts in your M365 tenant. Removes stale guests and applies appropriate access controls.
- Ongoing monitoring: monthly review of sign-in logs and identity alerts. You receive a summary of flagged sign-ins and actions taken.
Any business with Microsoft 365 accounts and more than two staff.
If your business uses Microsoft 365 and MFA is not enforced on every account with a Conditional Access policy, you are at measurable risk. This applies to businesses of all sizes and industries. A Whitehorse retail business with five staff and a shared Microsoft 365 tenant is a target for credential stuffing attacks just as much as a larger firm, because attackers scan for vulnerable tenants at scale. A 40-person engineering firm in Prince George with a mix of remote and office staff needs MFA that works reliably on mobile devices, from job sites, and on managed laptops without becoming a daily source of IT tickets.
Businesses applying for or renewing cyber insurance in Canada will almost universally be asked whether MFA is enforced on all accounts and all remote access. The answer must be yes. Insurance carriers in Canada are increasingly requiring phishing-resistant MFA (FIDO2 or certificate-based) for admin accounts, not just SMS or email codes. North Star designs to the standard that insurers actually require, not a bare minimum that may not satisfy the questionnaire at renewal time.
Organizations subject to privacy legislation under BC PIPA, AB PIPA, or PIPEDA are required to implement reasonable security safeguards. Enforced MFA on all accounts is baseline. A regulatory body or privacy commissioner reviewing an incident involving a compromised Microsoft 365 account will ask whether MFA was enforced. If the answer is no, the organization faces regulatory exposure in addition to the operational and reputational damage of the breach.
Project fee for deployment, optional ongoing monitoring.
MFA and identity management deployment is typically a project-based engagement: we design the Conditional Access policies, deploy and configure MFA for all users, run a training session for staff, and deliver a written summary of the configuration. Ongoing monitoring (monthly sign-in log review, quarterly access review) can be added as a retainer or bundled into a managed IT services plan. Microsoft 365 Business Premium or Entra ID P1/P2 licensing is required for Conditional Access; we can assess your current licensing and recommend the appropriate tier as part of the engagement.
What clients ask before starting.
We have MFA turned on already. Is that enough?
MFA enabled by default in Microsoft 365 (Security Defaults) is better than nothing, but it is not the same as a properly configured Conditional Access policy. Security Defaults blocks legacy authentication and requires MFA, but it does not allow risk-based policies, device compliance requirements, or the granular exceptions that organizations need for service accounts and guest users. We frequently find that Security Defaults is bypassed by legacy protocols that were excluded, or that staff have MFA on their personal accounts but admin accounts were grandfathered in without it.
What if a staff member loses their phone?
We design recovery flows during deployment. The standard North Star process requires the staff member to call IT from a known number, verify identity with information that is not publicly available, and have the recovery processed by an authorized IT contact. The recovery is logged. We do not configure SMS-based recovery codes because phone number spoofing makes them a social engineering risk. FIDO2 hardware keys are recommended as backup authenticators for staff who travel frequently or are in high-risk roles.
Do you support Duo or Okta instead of Microsoft Authenticator?
Yes. If you have Duo or Okta already deployed, we can integrate those with Microsoft 365 and configure Conditional Access to rely on them. For businesses starting from scratch, Microsoft Authenticator with Microsoft's native Conditional Access is the most cost-effective option if you are already on Microsoft 365 Business Premium or have Entra ID P1 licensing. Duo is appropriate if you have a heterogeneous environment with non-Microsoft applications that need centralized MFA.
Will MFA break our line-of-business applications?
Some older line-of-business applications that connect to Microsoft 365 using basic authentication will break when legacy authentication is blocked. We identify these during the planning phase, before any Conditional Access policy goes live. For applications that require it, we configure service accounts with modern authentication or certificate-based authentication. We do not block legacy authentication and discover the impact afterward; we test it in a pilot group first and address issues before rolling out to all users.
MFA that works for your staff, not just on paper.
North Star is based in Prince George and serves BC, Alberta, and the Yukon. We design MFA deployments around the actual user experience of your staff: field workers on mobile devices in the Peace Region, remote staff in Whitehorse logging in over Starlink, office staff switching between shared workstations. The technical configuration is only part of the work. We also run a staff communication and training session so that the rollout does not generate a flood of IT tickets on day one. The goal is MFA that actually gets used, not MFA that gets disabled because it is too frustrating to live with.