top of page

12 Microsoft 365 Security Features and Best Practice Guidance - 2: Multi-Factor Authentication


What is it?

Multi-Factor Authentication (MFA) adds a second layer of identity verification beyond a username and password. It requires users to prove who they are using a combination of two or more factors:


  • Something you know (like a password)

  • Something you have (like a phone or hardware token)

  • Something you are (like biometrics)


Even if credentials are compromised, MFA significantly reduces the risk of unauthorised access.


Why is this important?

MFA is considered a fundamental security control. It blocks over 99.9% of identity-based attacks, according to Microsoft. Despite this, many organisations either:


  • Haven’t rolled it out at all

  • Are only using it for admins

  • Rely on less secure methods like SMS


Attackers regularly target cloud-based services like Microsoft 365, where password-only access is still common. Without MFA, even strong passwords aren't enough.


What plans is it included in?

The good news: MFA is available at no additional cost across all Microsoft 365 plans, including:


  • Microsoft 365 Business Basic, Standard, and Premium

  • Microsoft 365 E1, E3, and E5

  • Office 365 equivalents

  • Azure AD Free, P1, and P2 (now part of Entra ID)


However, advanced configurations like Conditional Access-based MFA do require Azure AD Premium P1 or higher.


Real world scenario

We recently worked with a construction firm who assumed Multi-Factor Authentication (MFA) was enabled for all users. In reality, it was only active for admin accounts. Without HybrIT’s intervention, they could have faced malicious activity targeting their organisation, such as:


  • Suspicious email rules being created

  • Sensitive emails being CC’d to external recipients

  • A formal security investigation


By enabling tenant-wide MFA and introducing Conditional Access policies, we helped the firm regain control of their environment and restore confidence in their IT security.


How HybrIT can help configure this

At HybrIT, we’ve helped organisations of all sizes enable MFA without creating disruption:


  • We assess your current MFA coverage and security posture

  • We configure best-practice Conditional Access policies tailored to your environment

  • We support user onboarding and training to minimise confusion

  • We help identify exceptions like service accounts and apply secure alternatives


Whether you’re starting from scratch or reviewing an existing setup, we’ll guide you through the best route to a secure MFA deployment.


Best practice tips


  • Use the Microsoft Authenticator app – It’s faster and more secure than SMS

  • Don’t exempt users without a reason – Attackers will find the gaps

  • Enforce registration – Make sure all users have registered MFA methods

  • Review sign-in logs – Spot unusual patterns early

  • Use Conditional Access – Apply more flexible rules for when MFA is required


📞 Call us on 03330 156 702

📧 Email hello@hybrit.co.uk

hyblogo for social square.png

UK Head Office

Building 3, Royal Ordnance Depot

Weedon Bec

Northamptonshire

NN7 4PS

Something for you to consider:

01010111 01100101 00100000 01110111 01100001 01101110 01110100 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01110111 01101001 01110100 01101000 00100000 01111001 01101111 01110101 00100001

​0333 015 6701

hello@hybrit.co.uk

  • LinkedIn
  • Facebook
duck copy.png
Approved Everything ICT Supplier Logo
ISO 9001 Mark White Certification Number.png
ISO 27001 Certification Mark
hybrit hope smile.png
netzerowebsite.png

© Copyright 2025 HybrIT Services Ltd. All rights reserved. Registered in England and Wales No. 10479291

bottom of page