TL;DR: Multi-Factor Authentication (MFA) is the single highest-impact security control available to Australian businesses. It stops approximately 99% of automated account takeover attacks. This guide walks you through enabling MFA for Microsoft 365, rolling it out to your team, and configuring Conditional Access Policies for stronger enforcement.
What MFA Is and Why It Matters
Multi-Factor Authentication requires users to provide two or more verification factors to access an account — typically something they know (password) and something they have (their phone, running an authenticator app).
Even if an attacker has a user’s password — through phishing, data breach, or password guessing — MFA prevents them from signing in without the user’s physical phone. This is why Microsoft reports that MFA blocks over 99% of account compromise attacks.
For Australian businesses, the consequence of not having MFA is real and measurable: Business Email Compromise, Microsoft 365 account takeovers, and ransomware deployments via compromised credentials are consistently the leading cyber incidents reported to the ACSC and OAIC.
Enabling MFA for your entire organisation takes less than 30 minutes for an IT administrator and less than five minutes per user to set up. There is no technical justification for not having it enabled.
Part 1: Enabling MFA in Microsoft 365
There are two ways to enable MFA in Microsoft 365: Security Defaults (simpler, less control) and Conditional Access Policies (more powerful, recommended).
Option A: Security Defaults (Simpler)
Security Defaults is a set of pre-configured security settings Microsoft provides for Microsoft 365 tenants. Enabling it turns on MFA for all users with a single switch.
Steps to enable Security Defaults:
- Sign in to the Microsoft Entra admin centre at
entra.microsoft.com - Navigate to: Identity > Overview > Properties
- Select “Manage Security Defaults”
- Toggle “Security Defaults” to Enabled
- Save
What Security Defaults enables:
- MFA required for all users (at next sign-in)
- MFA required for all admin accounts (immediately)
- Legacy authentication protocols blocked
- MFA required for Azure portal access
Limitations of Security Defaults:
- No granular control over when MFA is required
- Cannot exclude specific users or applications
- Cannot require specific MFA methods (e.g., enforce authenticator app only, disallow SMS)
- Not compatible with Conditional Access Policies (you must choose one or the other)
Security Defaults is the right starting point for organisations with no existing MFA configuration.
Option B: Conditional Access Policies (Recommended)
Conditional Access Policies provide granular control over when MFA is required, which users and applications are included, and what happens when conditions are met.
Prerequisites: Conditional Access Policies require Azure AD P1 licences — included in Microsoft 365 Business Premium. Not available on Business Basic or Business Standard without additional licencing.
Step 1: Disable Security Defaults (if enabled)
- Go to
entra.microsoft.com> Identity > Overview > Properties > Manage Security Defaults - Toggle to Disabled
- Select a reason from the dropdown
Step 2: Create “Require MFA for All Users” Policy
- Go to
entra.microsoft.com> Protection > Conditional Access - Select “New Policy”
- Name: “Require MFA - All Users”
- Under Assignments > Users: Select “All Users” (exclude your emergency access account — see below)
- Under Target Resources: Select “All cloud apps”
- Under Access Controls > Grant: Select “Require multi-factor authentication”
- Enable policy: set to “On”
- Save
Step 3: Create Emergency Access Account Before deploying MFA widely, create at least one emergency access account that is excluded from MFA Conditional Access Policies. This is a “break glass” account to use if normal MFA is unavailable. Store the credentials in a secure physical location.
Additional policies to consider:
- Block legacy authentication (blocks old protocols that bypass MFA)
- Require compliant devices (only allow access from Intune-managed devices)
- Block access from high-risk locations or high-risk sign-ins
- Require MFA for admin roles even more strictly (require a compliant device + MFA)
Part 2: Staff MFA Registration Walkthrough
Once MFA is enabled, users will be prompted to register at their next sign-in. Here is what they see and how to help them through it.
What Staff Experience
When a user signs in to Microsoft 365 after MFA is enabled, they will see:
“More information required — Your organisation needs more information to keep your account secure.”
They will be guided through registration:
- Select a method: Microsoft Authenticator app (recommended), phone (SMS or call), or hardware token
- Install Microsoft Authenticator: Download from the App Store (iOS) or Google Play (Android)
- Scan QR code: The screen shows a QR code. Open Microsoft Authenticator, tap ”+” to add an account, and scan the QR code.
- Verify: A test notification is sent to the phone. Tap “Approve” on the phone to confirm setup.
Communication to Send to Staff Before Rollout
[Customise this template for your organisation]:
Subject: Action Required — Setting Up Two-Step Sign-In for Your Work Account
We are improving the security of your work account by requiring a second step when you sign in. This is called Multi-Factor Authentication (MFA).
What you need to do:
- Download the Microsoft Authenticator app on your smartphone from the App Store (iPhone) or Google Play (Android)
- The next time you sign in to your work email or Microsoft 365, you will be asked to set up the second step — follow the prompts to connect the app
The setup takes about 3–5 minutes.
Why are we doing this? Cyber attacks that steal passwords are very common. This extra step means that even if someone has your password, they cannot access your account without your phone.
If you have any issues, contact IT at [helpdesk contact].
Handling Common Staff Questions
“Do I have to use my personal phone?” The Microsoft Authenticator app does not give your employer access to your phone. It only generates authentication codes. However, if staff are uncomfortable using a personal phone, options include: providing company phones for MFA, using hardware security keys (YubiKey), or using a dedicated authentication device.
“What if I change my phone?” When changing phones, add the new authenticator app before removing the old one. If that is not possible, IT can reset MFA registration and the user sets it up fresh on the new device.
“What if I forget my phone?” If MFA is registered on a phone the user does not have, they cannot sign in (this is by design — it is the security working). Options: backup phone number (can receive an SMS code), hardware token, or IT-assisted temporary MFA bypass. Train staff to always register at least two MFA methods.
Part 3: MFA Methods Comparison
Not all MFA methods are equal. From most secure to least:
Hardware Security Keys (Most Secure)
Physical devices (YubiKey, Feitian) that connect via USB or NFC. User touches the key to authenticate — phishing resistant because the key verifies the site it is authenticating against.
When to use: For highest-privilege accounts (Global Administrators, Finance, Directors). Recommended where phishing resistance is a priority.
Cost: $50–100 per key (one-time).
Microsoft Authenticator App — Passwordless Sign-In
The Authenticator app can replace the password entirely — user gets a notification on their phone with a number matching a number on the screen, and approves it. Phishing resistant and convenient.
When to use: Default recommendation for most users on Microsoft 365.
Cost: Included.
Authenticator App — TOTP Codes
Standard time-based one-time codes (6-digit codes that rotate every 30 seconds). Any TOTP app works: Microsoft Authenticator, Google Authenticator, Authy.
When to use: Good alternative where push notifications are not preferred.
Cost: Included.
SMS / Phone Call (Weakest)
Code is delivered by SMS or phone call. Vulnerable to SIM-swapping attacks (attacker convinces carrier to transfer phone number to their SIM) and SS7 attacks.
When to use: Only as a fallback method, not as the primary MFA method. Never for high-privilege accounts.
Cost: Included.
Part 4: Checking MFA Status
Check Which Users Have MFA Registered
Via Microsoft Entra Admin Centre:
- Go to
entra.microsoft.com> Identity > Users > All Users - Select “Per-user MFA” from the top menu
- Review the MFA status for all users — look for “Disabled” or “Enabled” (enabled means required, not registered)
Via Microsoft 365 Reports:
- Go to
admin.microsoft.com> Reports > Usage > Security & Compliance - Download the Azure AD sign-in report to see which sign-ins used MFA
Identify Users Who Have Not Registered
Users who have MFA required but have not yet completed registration will be prompted at their next sign-in. If rollout was more than one week ago and some users have not registered, they may not be signing in regularly — a targeted follow-up is appropriate.
Part 5: After MFA Is Deployed
Monitor sign-in logs: Microsoft Entra sign-in logs show every sign-in: whether MFA was used, where the sign-in was from, and whether it was flagged as risky. Review monthly at minimum.
Enable Identity Protection: If you have Azure AD P2 (included in Microsoft 365 Business Premium), Identity Protection provides automatic risk-based access policies — blocking or challenging sign-ins that look anomalous.
Review admin accounts: Ensure all admin accounts (Global Admin, Exchange Admin, etc.) have MFA — ideally hardware keys or app-only (no SMS fallback).
Regular user review: Users leave organisations. Quarterly, review which accounts have MFA registered and remove stale accounts.
If you want help deploying MFA across your organisation or configuring Conditional Access Policies correctly, book a Right Fit Call with CX IT Services. MFA deployment is included in our standard managed IT onboarding.
For related resources: