How to Set Up Multi-Factor Authentication in Microsoft 365

Guides & FAQs
Written By Callie Poston

Passwords alone are no longer enough to protect your accounts. With phishing, credential theft, and AI-driven attacks on the rise, businesses need an extra layer of defence. That’s where Multi-Factor Authentication (MFA) comes in.

MFA makes it much harder for cybercriminals to gain access, even if they’ve stolen a password. In this guide, we’ll explain what MFA is, why it matters, and how you can set it up in Microsoft 365 to keep your business secure.

What Is Multi-Factor Authentication (MFA)?

MFA adds an extra step to the login process. Instead of just entering a password, users also confirm their identity using a second factor, for example, a code on their phone or a notification in an authenticator app.

Think of it as a digital version of double-locking your door. Even if someone knows the first key (your password), they can’t get in without the second (your verification method).

In Microsoft 365, MFA can be enforced for every user in your organisation, giving consistent protection across email, Teams, SharePoint, and all connected apps.

Why MFA Is So Important

The majority of data breaches start with stolen credentials. According to Microsoft, enabling MFA can stop over 99% of account compromise attempts, one of the most effective defences any business can deploy.

Without MFA, a single phishing email or reused password could allow attackers to access your company data, contacts, and cloud files.
With MFA, even if a hacker steals a password, they’ll still be locked out.

How to Enable MFA in Microsoft 365

Setting up MFA in Microsoft 365 is simple, and once configured, it adds protection to every account in your tenant.
Here’s how to do it.

Step 1: Sign in to the Microsoft 365 Admin Center

Go to admin.microsoft.com and sign in using your administrator credentials.

From the left menu, navigate to Users → Active Users.

At the top of the page, you’ll see a link for Multi-factor authentication — click it.

Step 2: Choose Who Will Use MFA

You’ll now see a list of all users in your organisation.
Select the tick box next to the users you want to enable MFA for, or click the top box to select everyone.

On the right-hand panel, click Enable.
You’ll be prompted to confirm that you want to turn on MFA for the selected users. Once confirmed, it’s active immediately.

Step 3: User Setup (First Login)

Once enabled, users will need to complete MFA setup the next time they sign in.
Microsoft will prompt them to choose their preferred verification method:

  • The Microsoft Authenticator app (recommended)

  • A text message (SMS)

  • A phone call

For most users, the Microsoft Authenticator app is the easiest and most secure option.
It sends a quick push notification that users simply approve, without typing in codes.

To set this up, users should:

  1. Download the Microsoft Authenticator app on their phone (available on iOS and Android).

  2. Sign in to Microsoft 365 and follow the setup instructions.

  3. Scan the QR code shown on screen with the Authenticator app.

  4. Approve the test notification to complete setup.

Step 4: Test and Confirm

After setup, it’s important to test that MFA works as expected.
Sign out of Microsoft 365, then sign back in. You should receive a notification on your chosen authentication method.

Once confirmed, you’re all set, your Microsoft 365 account is now protected by MFA.

Best Practices for Rolling Out MFA to Teams

Rolling out MFA across your organisation is best done gradually, starting with admin accounts and users who handle sensitive data.

Communicate clearly with your team beforehand, explain why you’re introducing MFA and how it keeps their data safe. Most users adapt quickly once they’ve gone through the setup once.

If you use third-party applications that connect to Microsoft 365, make sure they support modern authentication. Older apps that rely on basic authentication may need updating or reconfiguration.

You can also manage advanced options, such as Conditional Access Policies, through Azure Active Directory to customise MFA requirements based on location, device type, or user role.

Troubleshooting Common Issues

Occasionally, users may lose access to their MFA device (for example, if they get a new phone). An admin can reset their MFA settings from the Active Users page in the Admin Center by selecting the user, clicking Manage multi-factor authentication, and then choosing Require re-register MFA.

If you use a Managed Service Provider like Sunrise Technologies, this process can be managed centrally, ensuring users are never locked out for long.

Callie Poston

I am the founder of Forever Callie Media, A Content Creation Agency in Essex England. My main focus is to make sure small independent businesses get professional marketing that makes them stand out from the crowd.

https://forevercallie.com
Next

Why Cyber Essentials Plus Is Vital for Every Modern Business