Rolling out MFA in M365: from 50% to 100% in two weeks

MFA is the cheapest security upgrade you can make — and the most underestimated. Here's the rollout plan that minimises resistance and maximises completion.

If you can only pick one security improvement this year, make it MFA for everyone. 99% of password-based attacks are blocked by MFA. The rollout is the tricky part.

Week 1: preparation

\n
• Decide: Microsoft Authenticator app (free, best) or YubiKey (€30/unit, strongest). For SMBs, Authenticator is the default; YubiKey for privileged accounts.
\n
• Configure Security Defaults or a Conditional Access policy that enforces MFA for all users.
\n
• Communicate: a 15-minute all-hands meeting to explain why, when, and how.
\n

Week 2: rollout

\n
• Days 1–3: self-enrollment open. Users register their app via aka.ms/mfasetup.
\n
• Day 4: IT assists those who get stuck. Often older colleagues who prefer not to use a smartphone — consider SMS or a company FIDO key as an alternative.
\n
• Day 7: enforcement goes live. Anyone who hasn't registered yet is prompted to do so on their next login.
\n

Privileged accounts: an extra step

Global Admins get a hardware token or number-matching MFA. No SMS (SIM-swap risk). See the PAM article.

The ex-employee challenge

During offboarding: registrations are wiped. Otherwise a former employee's phone remains "valid" in the event of a reactivation or phishing incident.

See also: M365 pillar, Conditional Access.