Level Up

Challenge #13

Implement MFA for All Users

Elevate your organization’s security by enforcing Multi-Factor Authentication (MFA) for all users, adding a critical layer of protection against unauthorized access.

secure authentication

Why?

Administrative accounts in any organization are akin to holding the keys to the castle. They possess elevated access and control, making them prime targets for cyber attacks. Simply having a strong password is no longer sufficient for these high-stakes accounts. That’s where Multi-Factor Authentication (MFA) comes into play.

Implementing MFA for administrative roles is more than an added security layer; it’s a fundamental necessity. MFA requires a secondary form of verification, such as a code from a mobile app or a biometric scan, making it exponentially harder for unauthorized individuals to gain access. This means that even if a password is compromised, the chances of a security breach are significantly minimized. For small and medium-sized businesses (SMBs), where every resource counts, MFA offers an efficient, cost-effective way to safeguard your most sensitive and critical access points.

Important Considerations

Implementing MFA for all users is a significant change and can greatly impact the user experience. It’s essential to prepare and educate your staff about this transition to ensure a smooth rollout:

Communicate in Advance: Inform your team about the upcoming implementation of MFA. Provide clear reasons why this change is necessary for enhancing security.

Training and Support: Offer training sessions and resources to help users set up and get comfortable with MFA.

Phased Rollout: Consider a phased approach to implementation, allowing users to adapt gradually to the new system.

If you have doubts or are concerned about making these changes on your own, we are more than happy to help.

How?

To activate MFA for every user in your organization, we have a few options, but for simplicity sake, we’ll use the policy templates available from Microsoft. Please also reference the resources section below to help you communicate change effectively with your staff.

    Step 1: Go to the Microsoft Entra Admin Center

    On your computer, launch a new browser window (Edge, Chrome), and type in https://entra.microsoft.com/ and press enter.

    Note: You will require Microsoft 365 administrative credentials – be sure to have the username and password ready.

    Step 2: Access Conditional Access Policies

    Within the Microsoft Entra Admin Center:

    • Look for and select Protection on the left-hand menu
    • Under Protection select Conditional Access
    Step 3: Create a policy from template
    • Within the Conditional Access / Overview window, select Create a new policy from templates near the top of the screen
    • Within the new window, under Secure foundation find and select the policy template called Require multifactor authentication for all users
    • Then click Review + Create
    Step 4: Review policy configuration
    • Within the Create new policy from templates window, provide a policy name such as Require multifactor authentication for all users
    • We can leave the policy state as Report only while we work with our staff to ensure they are ready (e.g., training, awareness, Microsoft Authenticator deployed, etc.)
    • Under Assignments, the policy will default to including All users and excluding the Current user. The current user is excluded to prevent accidental lockout from your Microsoft 365 environment. However, and ideally, this excluded account is already included in our previous MFA configuration for administrators.
    • We can additionally exclude all the previous administrative roles that are configured in our MFA for Admins policy created previously. This ensures we do not have any conflicting or overlapping policies for MFA and conditional access applying to the same accounts.
    • We can leave the defaults for Cloud apps or actions and Grant as they are.
    • Once you are satisfied with the selections, click Create.
    Step 5: Enable the policy
    • Once you are confident that all staff are ready for multifactor to be enabled, revisit the policy in the Entra Admin Center, under Protection – Conditional Access.
    • Select the appropriate policy, and scroll down until you see Enable policy
    • Adjust the policy from Report-only to On
    • Select Save

    Additional Resources

    These resources are valuable for both administrators and end-users.

      Microsoft Authenticator Guide

      Microsoft’s guide walks end users through the Microsoft Authenticator configuration process on their phones. We recommend you provide this information to staff before enabling MFA in your Microsoft 365 tenant.

      Deep Dive on Conditional Access

      Conditional Access templates provide a convenient method to deploy new policies aligned with Microsoft recommendations. These templates are designed to provide maximum protection aligned with commonly used policies.

      Emergency Access Accounts

      Prevent being accidentally locked out of your Microsoft 365 organization. You can mitigate the impact of accidental lack of administrative access by creating two or more emergency access accounts in your organization.

      End User Demonstration

      A quick video demonstrating the end-user experience for first-time registration with Microsoft Authenticator.

        While you’re here…

          Unlocking Productivity with ChatGPT

          Unlocking Productivity with ChatGPT

          Unlock productivity with ChatGPT and Microsoft Copilot. Explore how Third Octet leverages AI for efficiency, data security, and ethical use, along with practical tips to maximize AI in your daily tasks.

          read more
          Why Your People Are Key to Stronger Cybersecurity

          Why Your People Are Key to Stronger Cybersecurity

          When it comes to cybersecurity, technology is only part of the equation. Your people—from leadership to front-line employees—are one of your most significant defenses. But they can also be your biggest vulnerability. For small and medium-sized businesses (SMBs), empowering your team through training and awareness is one of the most effective ways to reduce risks and build a more resilient organization.

          read more