Home › MFA for business: how to turn it on

MFA for business: what it is and how to actually turn it on in Microsoft 365

Guide 03 · Email & M365 security for Australian SMBs

Short answer: Multi-factor authentication (MFA) makes users prove their identity with a second factor — usually an authenticator-app approval or a passkey — on top of their password, so a stolen password alone can't get an attacker in. To turn it on in Microsoft 365, the simplest path is to enable security defaults in the Entra admin centre, which requires MFA for all users. If you have Business Premium, use conditional access instead for more control. Roll it out to administrators first, give staff a heads-up, and prefer an authenticator app over SMS.

What MFA actually is

Authentication factors come in three kinds: something you know (a password), something you have (a phone, an authenticator app, a passkey/security key), and something you are (a fingerprint or face). MFA simply means requiring at least two of these. In practice, for most businesses, it's your password plus an approval on your phone.

The value is straightforward: passwords get phished, reused and leaked constantly. MFA means that even when a password is stolen, the attacker is stopped at the second factor. It's widely regarded as the highest-impact single security control a small business can turn on.

Which method to use

Not all second factors are equal:

Rule of thumb: default everyone to the Microsoft Authenticator app (with number matching) or passkeys. Reserve SMS for the rare user who genuinely can't use an app, and plan to move them off it.

How to turn on MFA in Microsoft 365

There are two supported paths. Pick one based on your licence.

Path A — Security defaults (any plan, simplest)

  1. Sign in to the Microsoft Entra admin centre as a Global Administrator.
  2. Go to Identity → Overview → Properties (or Identity → Protection depending on your portal).
  3. Open Manage security defaults and set it to Enabled, then save.
  4. All users are now prompted to register for MFA at their next sign-in. Legacy authentication is blocked automatically as part of security defaults.

Security defaults are free, apply to everyone, and are the right choice for most small businesses without special requirements.

Path B — Conditional access (Business Premium, more control)

  1. Confirm you have Microsoft 365 Business Premium (or an Entra ID P1/P2 plan). Conditional access needs it.
  2. In the Entra admin centre go to Protection → Conditional Access.
  3. Create a policy that targets All users (with a break-glass account excluded), for All cloud apps, granting access only if MFA is completed.
  4. Create a second policy to block legacy authentication explicitly.
  5. Start each policy in report-only mode, review the impact, then switch to On.

Conditional access lets you require MFA based on location, device compliance, sign-in risk and app — for example, always challenge admins, or challenge sign-ins from outside Australia.

Roll it out without breaking your week

  1. Admins first. Enable and test MFA on administrator accounts before touching everyone else.
  2. Warn users ahead of time. Send a short note explaining they'll be asked to set up an app, with a link to Microsoft's setup steps. Surprise MFA prompts generate help-desk tickets and mistrust.
  3. Create a break-glass account. One emergency-access account excluded from your MFA policy, with a long password stored securely, so you can never lock yourself out of your own tenant.
  4. Register two methods per user. An app plus a backup (a second device or codes) so a lost phone doesn't lock someone out.
  5. Block legacy authentication. If you don't, older mail clients and protocols can bypass MFA entirely — undoing the whole exercise.

The gotchas nobody warns you about

Frequently asked questions

What is multi-factor authentication?

MFA requires a second proof of identity in addition to your password — typically an approval in an authenticator app, a passkey, or a one-time code. Because an attacker would need both your password and your second factor, a stolen or guessed password is no longer enough to get in.

Is an authenticator app or SMS better?

An authenticator app or a passkey is stronger than SMS. Text-message codes can be intercepted or redirected via SIM-swap, and are more easily phished. Use the Microsoft Authenticator app with number matching, or passkeys, as the default and keep SMS only as a last-resort fallback.

Does MFA cost extra in Microsoft 365?

Basic MFA is available on every Microsoft 365 plan at no extra cost through security defaults. Conditional access, which gives you finer control over when and how MFA is required, needs Business Premium or an equivalent Entra ID plan.

Want your Microsoft 365 security checked and locked down properly?

That's what SG1 Consulting does — MFA and conditional access rolled out cleanly, legacy auth closed off, break-glass and printers handled, for Australian businesses.

Talk to SG1 →