MFA for every SaaS tool, not just M365: catching up the stragglers

M365 and Google make MFA easy. So do Dropbox, Slack, GitHub, and Trello. But those other SaaS tools? MFA is often missing. Here's how to close the gap.

You've enforced MFA on M365. Great. But what about the 35 other SaaS subscriptions? Chances are, they're running without MFA.

Take stock

Start from your SaaS inventory: add a column for "MFA available?" and "MFA enabled for all users?" for each tool.

Prioritise

1. Tools holding customer data (CRM, customer portal).
2. Tools holding financial data (accounting, invoicing, banking).
3. Tools holding source code (GitHub, GitLab).
4. Tools with admin rights over other tools (SSO provider, password manager).
5. Everything else.

Patterns per tool

• SSO where possible: connect the tool to your M365/Google SSO. You then inherit the SSO's MFA automatically.
• Tool's own MFA: enable it in the account settings. This can usually be enforced for all team users.
• Tool without MFA: consider replacing it, or accept the risk — and compensate with a stronger password policy and shorter review cycles.

Recovery codes

Every MFA setup generates recovery codes. These MUST be stored in a vault (password manager) or even a physical safe. If your phone breaks and you have no recovery codes, you're locked out.

MFA with shared accounts

See shared password management. Use a password manager that supports shared TOTP, or a YubiKey that can be physically handed over.

See also: Rolling out MFA in M365, security pillar.