If your Microsoft 365 tenant still allows password-only sign-ins, you are one convincing phish away from a bad week. Multifactor authentication (MFA) will not stop every attack, but it stops the boring, common ones that still succeed against SMBs every day.
This tutorial is the “get it done safely” version, not a tour of every Conditional Access nuance.
1. Decide who goes first
Do not flip MFA on for the whole company in one click if nobody has enrolled a second factor yet.
Start with:
- Global admins and anyone with mailbox / SharePoint admin roles
- Finance and ownership accounts
- Then a friendly pilot group (IT-curious staff)
- Everyone else after you have a help-desk script
Write down who is in each wave and when you will move them.
2. Pick a default second factor
For most SMBs, the Microsoft Authenticator app is the right default. SMS can work as a backup, but treat it as weaker and optional.
Tell people ahead of time:
- Install Authenticator on their phone before the enforcement date
- Keep a backup method registered if they travel without that phone
- Who to call if they get locked out
3. Use Conditional Access (or Security Defaults) on purpose
If you are on a plan that supports Conditional Access, create a policy that requires MFA for all users (or all users except a tightly controlled break-glass account).
If you are still on Security Defaults, turn them on and accept that Microsoft’s packaged baseline is better than nothing, then plan the move to Conditional Access when licensing allows.
Either way: document the break-glass admin account, store its credentials offline, and exclude it carefully so you are not locked out of your own tenant.
4. Enforce in waves
- Require registration / enable MFA for admins first
- Watch sign-in logs for failures for a few days
- Expand to the pilot group
- Announce a hard date for everyone else
- Enforce, then clean up users who never registered
Give people a real deadline. Soft “please enroll someday” requests are how password-only accounts survive into next year.
5. Validate before you celebrate
- Confirm a normal user can sign in with MFA on desktop and phone mail
- Confirm a blocked legacy protocol is actually blocked (or modernized)
- Confirm your break-glass path still works
- Update your offboarding checklist so MFA methods get removed with the account
Bottom line
MFA is not optional hygiene anymore. Roll it out in waves, communicate clearly, protect a break-glass admin, and verify real sign-ins, then keep an eye on the logs when someone new joins.

