12 Microsoft 365 Security Features and Best Practice Guidance - 2: Multi-Factor Authentication

What is it?

Multi-Factor Authentication (MFA) adds a second layer of identity verification beyond a username and password. It requires users to prove who they are using a combination of two or more factors:

• Something you know (like a password)

• Something you have (like a phone or hardware token)

• Something you are (like biometrics)

Even if credentials are compromised, MFA significantly reduces the risk of unauthorised access.

Why is this important?

MFA is considered a fundamental security control. It blocks over 99.9% of identity-based attacks, according to Microsoft. Despite this, many organisations either:

• Haven’t rolled it out at all

• Are only using it for admins

• Rely on less secure methods like SMS

Attackers regularly target cloud-based services like Microsoft 365, where password-only access is still common. Without MFA, even strong passwords aren't enough.

What plans is it included in?

The good news: MFA is available at no additional cost across all Microsoft 365 plans, including:

• Microsoft 365 Business Basic, Standard, and Premium

• Microsoft 365 E1, E3, and E5

• Office 365 equivalents

• Azure AD Free, P1, and P2 (now part of Entra ID)

However, advanced configurations like Conditional Access-based MFA do require Azure AD Premium P1 or higher.

Real world scenario

We recently worked with a construction firm who assumed Multi-Factor Authentication (MFA) was enabled for all users. In reality, it was only active for admin accounts. Without HybrIT’s intervention, they could have faced malicious activity targeting their organisation, such as:

• Suspicious email rules being created

• Sensitive emails being CC’d to external recipients

• A formal security investigation

By enabling tenant-wide MFA and introducing Conditional Access policies, we helped the firm regain control of their environment and restore confidence in their IT security.

How HybrIT can help configure this

At HybrIT, we’ve helped organisations of all sizes enable MFA without creating disruption:

• We assess your current MFA coverage and security posture

• We configure best-practice Conditional Access policies tailored to your environment

• We support user onboarding and training to minimise confusion

• We help identify exceptions like service accounts and apply secure alternatives

Whether you’re starting from scratch or reviewing an existing setup, we’ll guide you through the best route to a secure MFA deployment.

Best practice tips

• Use the Microsoft Authenticator app – It’s faster and more secure than SMS

• Don’t exempt users without a reason – Attackers will find the gaps

• Enforce registration – Make sure all users have registered MFA methods

• Review sign-in logs – Spot unusual patterns early

• Use Conditional Access – Apply more flexible rules for when MFA is required

📞 Call us on 03330 156 702

📧 Email hello@hybrit.co.uk