You’ve seen the prompt. Sign in from a new device, and suddenly there’s a six-digit code waiting on your phone, or an app notification asking you to approve the sign-in. Most people tap “approve” without much thought. But if you’re the one responsible for securing a business’s Microsoft environment, the mechanics behind that prompt, and the consequences of skipping it, are worth understanding.
This post covers what MFA is, how the different verification methods compare, where Microsoft has made it mandatory, and what a sensible rollout looks like for a real organization.
What Is Multi-Factor Authentication?
MFA is a login process that requires users to verify their identity using multiple methods before access is granted.
The reasoning: even if someone steals a password, they’re unlikely to also have your phone, your fingerprint, or your hardware key.
All MFA methods fall into three categories:
Something you know: a password, PIN, security question answer, or one-time password (OTP) sent via text or email. These are the most common, and also the most vulnerable.
Something you have: a physical device or token. Your smartphone receives a Microsoft Authenticator push notification, a YubiKey plugged into a USB port, a key fob, or a smart card. ATM cards are the classic offline version of this.
Something you are: biometrics. Fingerprints, face scans, voice recognition, retina scans, and behavioral patterns like typing rhythm all qualify. Windows Hello for Business is built on this category.
Most business MFA deployments pair a password (something you know) with an authenticator app (something you have). That combination doesn’t need to be sophisticated to stop the vast majority of attacks.
Why Passwords Are a Losing Strategy
Passwords have one structural problem: they’re static secrets. Once stolen, they stay valid until someone changes them. And stolen credentials are everywhere.
Phishing emails trick users into entering their passwords on fake login pages. Credential stuffing attacks take breached username/password pairs from one service and try them against hundreds of others; it works because password reuse is genuinely widespread. Brute force attacks cycle through common password variations automatically. None of these attacks are novel, and all of them are fully automated.
Microsoft’s research puts MFA’s effectiveness at over 99% in blocking account compromise attacks. That figure reflects a simple reality: most automated attacks don’t have a second factor, so requiring one stops them.
In a Microsoft 365 environment, a compromised admin account is a serious event. It can expose every user’s email and SharePoint data, be used to launch internal phishing campaigns that skip external filters, or serve as an entry point for ransomware. The accounts worth protecting most aren’t the regular users; they’re the small number of Global Admins sitting at the top of your tenant’s permission structure.
Where Microsoft Has Made MFA Mandatory
If you run Microsoft 365 or Azure, MFA for admin accounts is no longer a choice.
Phase 1 of Microsoft’s mandatory MFA rollout, which covered sign-ins to the Azure Portal, Microsoft Entra admin center, and Intune admin center, went out in late 2024 to early 2025. Phase 2 expanded that requirement to all Azure resource management operations and took effect in October 2025. Attempting to manage Azure resources without MFA now results in blocked access, full stop. Our Azure MFA Phase 2 breakdown covers who’s affected and how to prepare.
Within Microsoft 365 itself, there are three ways to enforce MFA through Microsoft Entra ID (formerly Azure Active Directory):
Security defaults are free for every tenant. They enable baseline MFA for admin accounts and prompt regular users when their sign-in looks risky. Simple to turn on, not customizable.
Per-user MFA is also free. You enable it on specific accounts. More targeted than security defaults, but managing it at scale gets tedious quickly.
Conditional Access requires Entra ID P1, which comes bundled in Microsoft 365 Business Premium, E3, and E5. It lets you define exactly when MFA kicks in: only from unmanaged devices, only from outside your network, only when accessing specific SharePoint sites. This is what most IT teams move to once they want real control over the experience.
The value of Conditional Access isn’t just security; it’s user adoption. If you require MFA from every device in every context, people start looking for workarounds. If you reserve it for genuinely risky sign-ins, the friction stays manageable.
One misconfiguration we see constantly in tenant reviews: organizations have 15 or 20 Global Admin accounts, and none of them have MFA enabled. That’s the highest-privilege role in a tenant. Compromising one of those accounts means compromising everything. Microsoft recommends capping Global Admin at two to four accounts, and those accounts need MFA before anything else. More detail on this in our Microsoft 365 security misconfiguration guide.
How the Different MFA Methods Stack Up
Not all second factors offer the same level of protection. Here’s how they compare.
SMS text codes are better than nothing and easy to set up, but they’re the weakest MFA option available. SIM-swapping attacks can reroute your texts to a different device. NIST has explicitly discouraged SMS as a standalone second factor for high-value accounts.
Email-based OTPs are convenient but have a compounding weakness: if the email account gets compromised, the OTP delivery channel is compromised too.
Authenticator apps (Microsoft Authenticator, Google Authenticator) generate time-based codes or push notifications. Much harder to intercept than SMS. For most business users, this is the right default.
Hardware security keys (FIDO2/WebAuthn, like YubiKeys) require physical presence at sign-in. There’s no code to intercept because nothing is transmitted. Phishing attacks that capture MFA codes in real time don’t work against hardware keys. For Global Admins and other privileged roles, this is the appropriate choice.
Windows Hello for Business ties biometric authentication to a specific enrolled device. Nothing is transmitted, and attackers would need both your physical presence and access to the enrolled machine.
Certificate-based authentication uses smart cards and PKI infrastructure. Common in government and regulated industries where auditability matters.
One thing that doesn’t show up in these comparisons but matters a lot in practice: legacy authentication protocols (IMAP, POP3, basic auth SMTP) don’t support MFA. Leaving them enabled in a Microsoft 365 tenant means attackers can route around your MFA policies entirely by authenticating through the older protocol. Blocking legacy authentication is one of the most commonly missed configurations in tenant assessments.
The Cost Question
For most Microsoft 365 organizations, MFA itself doesn’t carry a direct licensing cost.
Security defaults are free. Authenticator apps are free. Per-user MFA is free. Conditional Access is included in Entra ID P1, which is bundled in Business Premium, E3, and E5. If your organization is already on any of those plans, you have everything you need.
Where cost accumulates is implementation: user training, help desk load during rollout (expect more password-reset tickets in the first two weeks), and time spent configuring Conditional Access policies the right way. These are real costs; they’re also one-time, not recurring.
The other side of the ledger: IBM’s 2024 data breach report put the average breach cost at $4.88 million. A single compromised admin account in a Microsoft 365 tenant can trigger ransomware across the entire organization. If your MFA implementation costs $50,000 in time and training and prevents even one mid-size incident, the math isn’t close.
We’ve put together a dedicated breakdown on MFA costs and ROI if you want to model this for your own organization.
Compliance and Insurance
MFA has become a checkbox item in a growing number of external requirements.
Cyber insurance providers now routinely require MFA on admin accounts as a condition of coverage. Skip it and your claim may be denied after a breach, regardless of whether MFA would have prevented it. SOC 2, NIST 800-63, PCI-DSS, and HIPAA all include or strongly recommend MFA.
This affects more than just security budgets. Enterprise customers increasingly verify their vendors’ security posture before signing contracts. SOC 2 reports and security questionnaires now directly ask about MFA coverage.
If your organization tracks its Microsoft Secure Score, MFA coverage is typically one of the highest-impact items on the list. Enabling it on admin accounts first, then all users, moves the score substantially; often more than several other changes combined.
A Practical Rollout Path
For organizations that haven’t deployed MFA yet, or those doing it properly after enabling it inconsistently:
- Start with Global Admin accounts. Not next quarter. Today. Those accounts are the priority.
- Get Microsoft Authenticator on user devices. Push notifications are less friction than typing codes, and rollout goes faster when there’s a specific app to install with clear instructions.
- Block legacy authentication. In the Microsoft 365 admin center or via Conditional Access, disable IMAP, POP3, and basic auth SMTP. This closes the MFA bypass that most people forget about.
- Build Conditional Access policies before going org-wide. Start in report-only mode to see what would be blocked, then switch to enforce. Require MFA for unmanaged devices and high-risk sign-ins first.
- Cut Global Admin accounts down to two to four. Use Entra ID Privileged Identity Management (PIM) to make remaining admin access just-in-time rather than permanently assigned.
If you’re not sure what your tenant’s current MFA posture looks like, a Microsoft 365 tenant assessment will surface the gaps: MFA coverage, misconfigured access policies, legacy protocol exposure, alongside licensing optimization opportunities.
Where Things Stand Now
MFA isn’t new. What’s new is that Microsoft has removed the optionality for Azure management, and that gaps in MFA coverage now have direct consequences for cyber insurance, compliance audits, and vendor contracts.
The technology isn’t complicated. The friction is real but manageable. The gap most organizations have isn’t understanding what MFA is; it’s finishing the deployment, closing the legacy protocol loophole, and getting Conditional Access configured correctly.
If you want a second set of eyes on your current setup, TrustedTech’s licensing engineers offer a complimentary consultation for organizations on Microsoft 365 and Azure.
