Skip to main content

Multi-Factor Authentication › Implementing MFA on Microsoft 365 / Google Workspace

Implementing MFA on Microsoft 365 / Google Workspace

Microsoft 365 and Google Workspace are the two platforms where most organisations should start their MFA journey. Together, they underpin email, file storage, collaboration, and identity management for the vast majority of small and mid-sized businesses. Securing access to these platforms protects the single largest attack surface in most organisations.

The good news is that both platforms include MFA capabilities at no additional cost. The challenge is not technology — it is planning, communication, and execution. This lesson walks through the practical steps for enabling MFA on both platforms, written for the person responsible for making the decision and overseeing the rollout.

Microsoft 365: Enabling MFA

Microsoft offers several ways to enforce MFA. The approach you choose depends on your licence level and how much control you need:

  • Security Defaults — a free, one-click setting available on all Microsoft 365 tenants. When enabled, it requires all users to register for MFA using the Microsoft Authenticator app and blocks legacy authentication protocols. This is the fastest path to MFA for organisations that have not started yet.
  • Per-user MFA — allows you to enable MFA for specific accounts individually. Useful for targeting admin accounts first but harder to manage at scale.
  • Conditional Access policies — available with Azure AD Premium P1 (included in Microsoft 365 Business Premium). This is the most flexible approach, allowing you to require MFA based on conditions: user role, location, device compliance, risk level, or the application being accessed.

Diagram

Microsoft 365 MFA Implementation Options

Decision tree — Start: Do you have Azure AD Premium P1? Yes → Use Conditional Access policies (most flexible). No → Use Security Defaults (fastest, free). Shows that per-user MFA is a middle option for targeted deployment. Each path shows the key capabilities available.

Recommended approach for most SMEs: If you are on Microsoft 365 Business Premium or above, use Conditional Access policies. Start with a policy requiring MFA for all administrator roles, then extend to all users. If you are on a basic plan, enable Security Defaults immediately — it covers the essentials with minimal configuration.

Key Steps for Microsoft 365

  1. Audit current state — check how many users already have MFA registered. In the Microsoft Entra admin centre, navigate to Protection → Authentication Methods → User Registration Details.
  2. Block legacy authentication — older protocols like POP3, IMAP, and SMTP Basic Auth do not support MFA. Attackers exploit these as a bypass. Security Defaults blocks them automatically; with Conditional Access, create an explicit block policy.
  3. Enable MFA for administrators first — create a Conditional Access policy requiring MFA for all users assigned to admin roles. Test with a pilot group before applying broadly.
  4. Communicate to users — send clear instructions on installing the Microsoft Authenticator app and registering their MFA method. Provide a support channel for questions.
  5. Extend to all users — after administrators are stable, extend the policy to all users. Consider a grace period where users are prompted to register but not yet blocked.
  6. Monitor registration and sign-in logs — track MFA registration completion and monitor for failed sign-in attempts that may indicate users struggling with the new process.

Google Workspace: Enabling MFA

Google Workspace calls MFA “2-Step Verification” (2SV). It is available on all Google Workspace plans at no additional cost.

Implementation options:

  • Allow but do not enforce — users can choose to enable 2SV but are not required to. This is the default and is insufficient for security.
  • Enforce for all users — require all users to enrol in 2SV. Users who have not enrolled are prompted at their next login.
  • Enforce with specific methods — on Business Plus and Enterprise plans, you can mandate specific 2SV methods (e.g., require security keys for admin accounts).

Key Steps for Google Workspace

  1. Audit current state — in the Google Admin console, navigate to Reporting → User Reports → Security to see which users have 2SV enabled.
  2. Enable enforcement for admin accounts first — in the Admin console, go to Security → Authentication → 2-Step Verification. Apply enforcement to an organisational unit containing your admin accounts.
  3. Set an enrolment grace period — Google allows you to set a date by which users must enrol. A one-to-two week grace period gives users time to set up without being locked out.
  4. Communicate to users — provide clear instructions for enabling 2SV in their Google account settings. Link to Google’s own setup guide for simplicity.
  5. Extend enforcement to all users — once admin accounts are stable, move all organisational units to enforced 2SV.
  6. Consider Advanced Protection — for your highest-risk users (executives, admins), Google’s Advanced Protection Programme requires security keys and provides the strongest protection against targeted attacks.

Diagram

Google Workspace 2SV Rollout Timeline

Timeline showing: Week 1 — Enforce for admin accounts. Week 2 — Communicate to all staff, set enrolment grace period. Week 3 — Grace period begins, support available. Week 4 — Enforcement active for all users. Ongoing — Monitor and support. Shows Advanced Protection as optional overlay for high-risk users.

Common Considerations for Both Platforms

Legacy Applications and Protocols

Some older applications — particularly email clients configured with basic IMAP or POP3 — do not support MFA. These become a backdoor that attackers can exploit to bypass MFA entirely. Both Microsoft and Google provide tools to identify and block legacy authentication. This step is critical — if you enable MFA but leave legacy protocols open, attackers will simply use the legacy path.

Break-Glass Accounts

You should maintain one or two emergency “break-glass” administrator accounts that use a different MFA method or are excluded from conditional access policies — but only for genuine emergency use. These accounts should have extremely strong passwords stored in a physical safe, their usage should be monitored and alerted, and they should be tested periodically to confirm they work.

Mobile Device Considerations

If your staff use personal mobile phones for their authenticator app, consider the implications. You may need to address situations where an employee’s phone is lost, broken, or replaced. Having a documented process for MFA reset — including identity verification before resetting — is essential.

Diagram

MFA Rollout Readiness Checklist

Checklist visual with eight items: Legacy auth blocked, Admin accounts protected, Break-glass accounts configured, User communication sent, Support channel established, Enrolment grace period set, Monitoring dashboards ready, Exceptions documented. Each with a checkbox and responsible party field.

Why This Matters

Microsoft 365 and Google Workspace are the primary targets for credential-based attacks against SMEs. Microsoft reports that organisations without MFA enabled on their tenant are compromised at a rate 50 times higher than those with MFA. Google’s data shows similar patterns. Enabling MFA on these platforms is the single highest-impact security improvement most organisations can make.

Both platforms provide the tooling at no additional cost. The barrier is not technology or budget — it is prioritisation and execution. Every week MFA remains unenforced is a week your organisation operates with a known, avoidable vulnerability.

What to Do Now

  • Log into your Microsoft 365 or Google Workspace admin console and check how many users currently have MFA enabled
  • If fewer than 100% of admin accounts have MFA, enable it for them today
  • Check whether legacy authentication protocols are blocked — if not, plan to block them this week
  • Draft a brief user communication explaining that MFA will be required, why it matters, and where to get help
  • Set up one or two break-glass admin accounts with alternative MFA methods stored securely
  • Create a rollout timeline with target dates for each user group

Evidence to Collect

  • A screenshot or report showing MFA registration status for all users (percentage enrolled)
  • Conditional Access policies or Security Defaults configuration showing MFA enforcement
  • Confirmation that legacy authentication is blocked
  • Documentation of break-glass accounts and where their credentials are stored
  • User communication sent regarding MFA rollout
  • The rollout timeline with actual and target completion dates

Common Mistakes

  • Enabling MFA but not blocking legacy authentication. This is the single most common mistake. Legacy protocols (POP3, IMAP with basic auth, older ActiveSync) do not support MFA and give attackers a direct bypass. Block them.
  • Not testing with a pilot group. Broad MFA enforcement without testing can lock users out of critical workflows. Start with a small group, identify issues, then expand.
  • Forgetting break-glass accounts. If every admin account is locked behind MFA and something goes wrong with your MFA provider, you need a documented emergency access path. Not having one can turn a minor issue into an outage.
  • Poor user communication. Users who are surprised by MFA prompts will flood your helpdesk and develop workarounds. Clear, advance communication with setup instructions dramatically reduces friction.
  • Setting up MFA but not monitoring it. After rollout, regularly check that all users remain enrolled and that no accounts have had MFA removed. New joiners must be enrolled as part of onboarding.

Knowledge Check

Question 1 of 4

What is the fastest way to enable MFA on a Microsoft 365 tenant with a basic licence?

  • Purchase Azure AD Premium P2
  • Enable Security Defaults — a free, one-click setting that requires MFA for all users
  • Configure per-user MFA for each account individually
  • Install third-party MFA software
Reveal Answer

B. Security Defaults is free on all Microsoft 365 tenants. Enabling it requires MFA for all users via the Microsoft Authenticator app and blocks legacy authentication protocols — all with a single toggle.

Question 2 of 4

Why is blocking legacy authentication critical when deploying MFA?

  • Legacy protocols use too much bandwidth
  • Legacy protocols do not support MFA, giving attackers a direct bypass path
  • Legacy protocols are slower and reduce productivity
  • Regulators specifically audit for legacy protocol usage
Reveal Answer

B. Protocols like POP3, IMAP with basic auth, and older ActiveSync only require a username and password — they cannot prompt for a second factor. If they remain enabled, attackers can bypass MFA entirely by authenticating through these older protocols.

Question 3 of 4

What is a “break-glass” account and why do you need one?

  • An account used for daily operations by the IT team
  • An emergency admin account with alternative MFA, used only when standard admin access fails
  • A shared account for all staff to use during a system outage
  • A test account used to verify MFA is working correctly
Reveal Answer

B. A break-glass account is an emergency administrator account configured with an alternative MFA method (or excluded from conditional access), with credentials stored in a physical safe. It ensures you can regain admin access if your primary MFA method or identity provider experiences an issue.

Question 4 of 4

In Google Workspace, what is the recommended first step when enforcing 2-Step Verification?

  • Enforce for all users simultaneously without a grace period
  • Enforce for admin accounts first, then extend to all users with a grace period
  • Send an email asking users to enable it voluntarily
  • Disable all accounts until they set up 2SV
Reveal Answer

B. Start by enforcing 2SV for admin accounts (highest risk), then extend to all users with an enrolment grace period so they have time to set up without being locked out. This reduces helpdesk load and user disruption.


Summary Notes — Implementing MFA on Microsoft 365 / Google Workspace

Key Takeaways

  • Microsoft 365 offers Security Defaults (free, one-click), per-user MFA, and Conditional Access policies (Business Premium+).
  • Google Workspace offers 2-Step Verification enforcement with grace periods and Advanced Protection for high-risk users.
  • Blocking legacy authentication is critical — older protocols bypass MFA entirely.
  • Break-glass accounts ensure emergency access if MFA or identity systems fail.
  • Clear user communication and a support channel are as important as the technical configuration.

Action Items

  1. Check MFA registration status in your admin console today.
  2. Enable MFA for all admin accounts immediately.
  3. Block legacy authentication protocols.
  4. Configure one or two break-glass admin accounts.
  5. Communicate the rollout plan to all staff with setup instructions.
  6. Set target dates and monitor enrolment progress weekly.

Compliance Relevance

Cyber Essentials requires MFA for cloud service accounts and admin access — this lesson’s steps directly satisfy that requirement. ISO 27001 Annex A.8.5 (Secure Authentication) and A.5.18 (Access Rights) require documented, enforced authentication controls. Microsoft Conditional Access policies and Google 2SV enforcement settings serve as auditable evidence for both frameworks.