How to Set Up Multi-Factor Authentication with Azure AD

Multi-factor authentication — commonly known as MFA — is one of the single most effective security measures any UK business can implement. According to Microsoft's own research, enabling MFA blocks over 99.9% of account compromise attacks. Yet despite this remarkable effectiveness, a significant proportion of UK businesses still rely on passwords alone to protect their Microsoft 365 accounts, their Azure resources, and their corporate data.

Azure Active Directory — now officially known as Microsoft Entra ID, though the Azure AD name remains in common use — provides built-in MFA capabilities that are included with every Microsoft 365 subscription. For UK businesses using Microsoft 365 Business Basic, Business Standard, Business Premium, or any Enterprise plan, MFA is available at no additional cost. There is genuinely no reason not to enable it.

This guide provides a comprehensive, step-by-step walkthrough of setting up MFA in Azure AD for your UK business. We cover the planning phase, the configuration process, user enrollment, and ongoing management, with practical advice drawn from hundreds of MFA deployments across UK organisations.

Understanding MFA: Why Passwords Are Not Enough

Passwords have been the primary authentication method since the earliest days of computing, but they have become increasingly inadequate as a sole security measure. The problem is not that passwords are inherently insecure — a truly random 20-character password is extremely difficult to crack. The problem is that humans are terrible at creating and managing passwords.

Studies consistently show that people reuse passwords across multiple services, choose weak and predictable passwords, write passwords on sticky notes attached to monitors, share passwords with colleagues, and rarely change them unless forced to. The result is that passwords are routinely compromised through phishing attacks, credential stuffing (using passwords leaked from other breaches), brute force attacks, and social engineering.

MFA addresses this fundamental weakness by requiring a second form of verification beyond the password. Even if an attacker obtains your password through phishing or a data breach, they cannot access your account without also possessing your second factor — typically your mobile phone or a hardware security key. This transforms security from a single point of failure to a layered defence.

MFA Methods Available in Azure AD

Azure AD supports several MFA methods, each with different security levels, user experiences, and deployment considerations. Understanding these options helps you choose the right approach for your organisation.

Planning Your MFA Deployment

Before enabling MFA, take time to plan the deployment. Rushing MFA activation without preparation leads to confused users, locked-out accounts, and a flood of support requests that can overwhelm your helpdesk.

Identify Your User Groups

Not all users need the same MFA experience. Consider grouping your users by role and risk level. Global administrators and IT staff should use the strongest MFA methods (Authenticator with number matching or FIDO2 keys). Finance and HR users with access to sensitive data should use Authenticator at minimum. General users can start with any supported method, with guidance to use Authenticator where possible.

Handle Exceptions Early

Some users may have legitimate reasons why standard MFA is difficult — for example, warehouse staff without smartphones, field workers with unreliable mobile signal, or shared workstation environments. Identify these cases before deployment and plan alternatives. FIDO2 security keys are an excellent option for users without smartphones, costing between £20 and £50 per key.

Communicate Before You Enable

Send clear communications to all staff at least one week before MFA enrollment begins. Explain what MFA is, why it is being implemented, what users need to do, and where to get help. Provide step-by-step enrollment guides with screenshots. The more prepared your users are, the smoother the rollout will be.

Step-by-Step: Enabling MFA in Azure AD

There are two primary approaches to enabling MFA in Azure AD: Security Defaults and Conditional Access policies. The right choice depends on your Microsoft 365 licence level and the granularity of control you need.

Option 1: Security Defaults (Free with All Plans)

Security Defaults is Microsoft's recommended baseline for organisations that do not have Azure AD Premium licences. When enabled, Security Defaults requires all users to register for MFA within 14 days, prompts for MFA when signing in from new devices or locations, blocks legacy authentication protocols that cannot support MFA, and requires administrators to perform MFA at every sign-in.

To enable Security Defaults, sign in to the Microsoft Entra admin centre at entra.microsoft.com. Navigate to Identity, then Overview, then Properties. Scroll to the bottom and click "Manage Security Defaults." Toggle the switch to "Enabled" and click Save. Security Defaults will immediately begin enforcing MFA requirements across your tenant.

Option 2: Conditional Access (Requires Azure AD Premium P1)

Conditional Access provides granular control over when and how MFA is required. You can create policies based on user group, application, device platform, location, risk level, and more. This approach is recommended for businesses that need different MFA rules for different user groups, want to exclude specific trusted locations (such as your office IP address), need to support legacy applications that cannot handle MFA prompts, or require integration with device compliance policies.

A typical Conditional Access policy for MFA would target all users, require MFA for all cloud applications, exclude trusted office locations (optional), and use the "Require multi-factor authentication" grant control.

User Enrollment: Making It Smooth

Once MFA is enabled, users will be prompted to register their MFA method at their next sign-in. The experience varies slightly depending on the method chosen, but for the recommended Microsoft Authenticator approach, the process is straightforward.

The user signs in to Microsoft 365 as normal. A screen appears stating that their organisation requires additional security information. They click "Next" and are prompted to download the Microsoft Authenticator app from the App Store or Google Play. Once the app is installed, they scan a QR code displayed on screen using the app's built-in camera function. The app registers with their account, and a test notification is sent. The user approves the notification, confirming that MFA is working. The entire process takes approximately five to ten minutes for most users.

For users who encounter difficulties, the most common issues are outdated operating systems on their phones (Authenticator requires relatively recent iOS or Android versions), company firewalls blocking the enrollment process, or users who accidentally close the enrollment wizard before completion. Having your IT team or managed service provider available during the enrollment window significantly reduces frustration.

Ongoing Management and Best Practices

Enabling MFA is not a set-and-forget exercise. Ongoing management ensures that your MFA deployment remains effective and does not create unnecessary friction for your users.

Monitor enrollment completion. Use the Azure AD authentication methods activity report to track which users have registered for MFA and which have not. Follow up with users who have not completed enrollment within your defined timeframe.

Review and update Conditional Access policies. As your business changes — new offices, new applications, new user roles — your Conditional Access policies may need updating. Review them quarterly to ensure they still reflect your security requirements.

Plan for lost devices. Users will lose phones, get new phones, or have phones stolen. Ensure your helpdesk has a clear, secure process for resetting MFA registrations. This process should include identity verification to prevent social engineering attacks where an attacker poses as a user to remove their MFA.

Consider passwordless authentication. Once MFA is established, consider moving to passwordless authentication methods such as FIDO2 keys or Windows Hello for Business. These methods are more secure than password-plus-MFA and provide a better user experience. Microsoft is actively encouraging organisations to adopt passwordless as the next evolution of authentication security.