Cloud & Microsoft 365
Cyber threats to UK businesses are evolving faster than ever, and Microsoft 365 users remain prime targets for account takeover attacks. Whether your organisation stores sensitive client data, financial records, or confidential legal documents, passwords alone simply aren't enough anymore. MFA Microsoft 365 setup is no longer optional—it's essential. This guide walks you through configuring multi-factor authentication in Microsoft 365, with practical steps tailored for London-based SMBs, professional services firms, and financial advisory practices.
Even the strongest passwords can be compromised through phishing attacks, credential stuffing, or social engineering. Your employees might reuse passwords across personal and work accounts, or inadvertently click malicious links in emails that look legitimate. Once a single employee's credentials fall into the wrong hands, attackers gain access to your entire Microsoft 365 environment—email, SharePoint, Teams, OneDrive, and potentially sensitive client information.
Multi-factor authentication (MFA) adds a critical second layer of defence. Even if someone obtains your employee's password, they cannot access the account without also providing a second form of verification. This might be:
For professional services organisations handling confidential client data, financial firms managing client portfolios, and legal practices with strict compliance obligations, MFA is not just a best practice—it's increasingly a regulatory requirement. The Information Commissioner's Office (ICO) expects UK organisations to implement appropriate technical and organisational measures, and MFA is considered a fundamental control.
Most Microsoft 365 business plans include MFA capabilities at no extra cost. The only exception is Microsoft 365 Business Basic (formerly Microsoft 365 Business Essentials), which requires users to enable MFA through the Azure AD free tier, though enforcement options are limited. If you're on Business Standard, Business Premium, or any Enterprise plan, you have full MFA functionality available.
Sign in to the Microsoft 365 admin centre using an account with Global Administrator or Security Administrator permissions. Navigate to Settings > Org settings > Security & privacy. From here, you can enable MFA at the organisational level, but we recommend a more measured approach—first implementing it for high-risk users and administrators, then rolling out organisation-wide.
Your Global Administrators, Security Administrators, and Exchange Administrators have the highest-privilege access and are the most attractive targets for attackers. Microsoft's data shows that accounts with admin roles are targeted 15 times more frequently than standard user accounts.
The safest approach is to require MFA for all administrative accounts immediately. This protects your organisation's crown jewels whilst you plan the broader rollout. Users can configure their preferred authentication method (authenticator app, phone call, or SMS) in their Microsoft 365 account settings.
Once you've confirmed administrators can authenticate successfully, enable MFA for all users. You can roll this out in waves—for example, starting with finance teams and customer-facing staff who handle the most sensitive information, then progressively extending to the rest of the organisation.
Be aware that some users will resist change, particularly those unfamiliar with technology. Plan ahead by:
The Microsoft Authenticator app, Google Authenticator, or Authy are the most secure MFA methods. Users install the app on their smartphone and receive a push notification or generate a time-based code each time they sign in. This method is resistant to phishing because the app verifies the sign-in location, not just a code.
Users receive a phone call or text message with a code to enter. Whilst convenient, SMS is less secure than authenticator apps and can be vulnerable to SIM swap attacks, where a criminal tricks a mobile network into transferring the victim's phone number to a different device. Avoid relying solely on SMS for high-privilege accounts.
Physical devices like YubiKey provide the strongest security and are ideal for administrators or staff handling highly sensitive data. However, they cost more and require careful management to prevent loss or misplacement.
For organisations using Windows 10 or 11 across their fleet, Windows Hello (facial recognition or biometric login) offers seamless MFA integration. Users authenticate to their device once, and their credential is automatically provided to Microsoft 365 applications.
We recommend allowing users to register multiple authentication methods. For example, an employee might use their authenticator app as the primary method but register a backup phone number in case they lose their phone. This reduces support burden and improves user experience.
Once MFA is enabled, configure conditional access policies to optimise security without excessive friction. Conditional access allows you to apply MFA selectively based on risk factors—for instance, requiring MFA when a user signs in from an unfamiliar location or device, but not for routine logins from the office.
Set clear policies for your organisation:
Legacy authentication is a significant weakness. Many organisations still have users connecting via older email clients that cannot prompt for MFA. Blocking these protocols forces users onto modern clients like Outlook or the web interface, both of which fully support MFA.
Monitor failed sign-in attempts through the Azure AD sign-in logs. A sudden spike in failed MFA attempts could indicate an attacker attempting to breach accounts. Many organisations—particularly those we work with at VantagePoint Networks—establish a baseline of normal sign-in patterns so anomalies are quickly detected.
Ensure your support team is prepared to assist users who lose access to their authentication device or forget their setup. Establish a clear process for verifying user identity and temporarily disabling MFA for account recovery, then requiring the user to re-register their authentication method.
MFA is not a standalone solution, but rather one component of a comprehensive security strategy. When combined with strong password policies, employee security awareness training, and regular audits of user permissions, MFA dramatically reduces your organisation's risk of account compromise. Whether you're a professional services firm protecting client confidentiality, a financial adviser safeguarding portfolios, or a legal practice managing privileged information, the investment in proper MFA configuration delivers measurable security improvements and peace of mind.
VantagePoint Networks is an independent senior IT and AI consultancy based in London. No account managers — every engagement is handled directly by the founder.
Book your free call →