12 Microsoft 365 Security Features and Best Practice Guidance - 2: Multi-Factor Authentication
- HybrIT Marketing
- 3 days ago
- 2 min read

What is it?
Multi-Factor Authentication (MFA) adds a second layer of identity verification beyond a username and password. It requires users to prove who they are using a combination of two or more factors:
Something you know (like a password)
Something you have (like a phone or hardware token)
Something you are (like biometrics)
Even if credentials are compromised, MFA significantly reduces the risk of unauthorised access.
Why is this important?
MFA is considered a fundamental security control. It blocks over 99.9% of identity-based attacks, according to Microsoft. Despite this, many organisations either:
Haven’t rolled it out at all
Are only using it for admins
Rely on less secure methods like SMS
Attackers regularly target cloud-based services like Microsoft 365, where password-only access is still common. Without MFA, even strong passwords aren't enough.
What plans is it included in?
The good news: MFA is available at no additional cost across all Microsoft 365 plans, including:
Microsoft 365 Business Basic, Standard, and Premium
Microsoft 365 E1, E3, and E5
Office 365 equivalents
Azure AD Free, P1, and P2 (now part of Entra ID)
However, advanced configurations like Conditional Access-based MFAÂ do require Azure AD Premium P1 or higher.
Real world scenario
We recently worked with a construction firm who assumed Multi-Factor Authentication (MFA) was enabled for all users. In reality, it was only active for admin accounts. Without HybrIT’s intervention, they could have faced malicious activity targeting their organisation, such as:
Suspicious email rules being created
Sensitive emails being CC’d to external recipients
A formal security investigation
By enabling tenant-wide MFA and introducing Conditional Access policies, we helped the firm regain control of their environment and restore confidence in their IT security.
How HybrIT can help configure this
At HybrIT, we’ve helped organisations of all sizes enable MFA without creating disruption:
We assess your current MFA coverage and security posture
We configure best-practice Conditional Access policies tailored to your environment
We support user onboarding and training to minimise confusion
We help identify exceptions like service accounts and apply secure alternatives
Whether you’re starting from scratch or reviewing an existing setup, we’ll guide you through the best route to a secure MFA deployment.
Best practice tips
Use the Microsoft Authenticator app – It’s faster and more secure than SMS
Don’t exempt users without a reason – Attackers will find the gaps
Enforce registration – Make sure all users have registered MFA methods
Review sign-in logs – Spot unusual patterns early
Use Conditional Access – Apply more flexible rules for when MFA is required
📞 Call us on 03330 156 702
📧 Email hello@hybrit.co.uk