How to Set Up Multi-Factor Authentication for Your Team

Passwords are broken. Not in some theoretical sense — in the practical sense that credential stuffing, phishing, and password spray attacks compromise accounts every day at organizations that thought they were fine. Microsoft's own data shows that MFA blocks more than 99.9% of automated account attacks. That number is remarkable. It's also been publicly available for years. And yet, in almost every IT security assessment we run for small businesses in Montreal, we find accounts without it.

Here's what to actually do about it.

How MFA Works

The concept is straightforward: authentication requires something you know (password) plus something you have (a code, a device, a hardware key). An attacker who steals your password from a data breach still can't log in without that second factor.

The important distinction is between MFA that's phishing-resistant and MFA that isn't. Not all second factors are equal.

The Three Types — Ranked by Actual Security

SMS codes are the weakest form of MFA. Better than nothing, but not by much for targeted attacks. SIM swapping — where an attacker convinces your carrier to transfer your number to their device — is a known, documented attack vector. SMS codes are also vulnerable to real-time phishing attacks where the attacker captures and replays the code within its validity window. If SMS is your only option for a specific service, use it. But don't consider it secure.

Authenticator apps — Microsoft Authenticator, Google Authenticator, Authy — generate time-based one-time passwords (TOTP) that change every 30 seconds. They're not tied to your phone number, which removes SIM swapping as an attack vector. Microsoft Authenticator also supports number matching (you confirm a two-digit code displayed during login), which blocks automated MFA fatigue attacks where attackers spam approval requests hoping someone clicks Accept. For most SMBs, this is the right baseline.

Hardware security keys — YubiKey being the most common — provide FIDO2/WebAuthn authentication that is phishing-resistant by design. The key cryptographically verifies the domain before responding, so it won't authenticate to a spoofed login page. It's the strongest option available. At $50-80 per key, it's cost-effective for executives, IT admins, finance staff, and anyone with elevated access. For general staff, an authenticator app is usually sufficient.

Setting Up MFA in Microsoft 365

This is where most Montreal SMBs live, so it's worth being specific. The steps:

1. Sign into the Microsoft 365 Admin Center (admin.microsoft.com) as a global admin.
2. Go to Identity > Overview > Properties, then click "Manage security defaults." If you're on legacy per-user MFA, migrating to Conditional Access is worth doing properly before rolling out broadly.
3. In Entra ID (formerly Azure AD), navigate to Security > Conditional Access > Policies.
4. Create a policy: require MFA for all users, all cloud apps, all locations — with an exclusion for your admin break-glass account.
5. Set the policy to "Report-only" mode first. This shows you what would be blocked without actually blocking anything, letting you identify gaps before enforcing.
6. After reviewing the report-only results for a few days, switch to "On."

The break-glass account deserves mention: this is a cloud-only global admin account with a long random password, stored offline, that you use if something goes wrong with MFA enforcement. Don't skip it. IT teams that lock themselves out of their tenant are not a rarity.

Rollout Strategy

Don't enable MFA for everyone simultaneously on a Monday morning. You'll spend the day on the phone.

Start with IT administrators. They're more technically comfortable and can troubleshoot their own issues. They also have the highest-risk accounts, so there's genuine urgency.

Move to executives and finance staff next — high-value targets who often have the least technical patience. Brief them personally, explain why it matters (a compromised CEO email account can authorize fraudulent wire transfers), and have someone available to help during their first login.

Roll out to all staff in batches over two to three weeks. Pair the technical rollout with a short explanation — one paragraph, not a policy document — of what's changing and why.

Handling Employee Resistance

The most common objection: "It's too complicated." The honest response: it adds about 10 seconds to your morning login. Once the authenticator app is set up and you've logged in a few times, you barely notice it. Microsoft Authenticator on modern devices supports biometric approval — it's faster than typing a password.

The second objection: "I don't want to use my personal phone for work." This is legitimate. Options include providing a dedicated authenticator device (an old smartphone works fine), using hardware keys, or — for Microsoft 365 — enabling the Microsoft Authenticator Lite integration which creates a work profile separate from personal use.

If Someone Loses Their Device

This is the scenario that keeps IT teams from enabling MFA. The answer is policy, not avoidance.

Document a device loss procedure before rollout: who to contact, how to verify identity (phone call with manager, not just email), who has authority to reset MFA. Microsoft 365 admins can remove a user's MFA methods in the Entra ID portal, which forces re-registration on the next login. This takes about two minutes once you've done it once.

Temporary access passes (TAP) in Entra ID let you issue a time-limited credential for exactly this scenario — device loss, new device setup, onboarding. Set them up as part of your MFA deployment.

Phishing-Resistant MFA: FIDO2

If you want to go further — and for any organization handling sensitive client data, you should consider it — FIDO2/WebAuthn is the standard to move toward. YubiKey Series 5 keys support FIDO2, work with Microsoft 365, Google Workspace, and most modern web applications.

The key difference: FIDO2 doesn't send a code that can be captured and replayed. The authentication is bound to the specific domain. A convincing fake Microsoft login page gets nothing, because the key won't respond to it.

Microsoft 365 supports phishing-resistant MFA enforcement through Conditional Access authentication strength policies. You can require FIDO2 or Windows Hello for Business for admin accounts specifically, while keeping authenticator apps for general staff — a practical middle ground that dramatically raises your security posture without requiring hardware keys for everyone.

The Baseline to Aim For

MFA on every account. No exceptions for "power users" who find it inconvenient. Authenticator app as the minimum, hardware keys for privileged accounts. Conditional Access rather than per-user MFA settings. Device loss procedure documented before someone loses a device.

That's not a perfect security posture. But it closes the gap that accounts for the majority of account compromises we see — and it takes an afternoon to implement properly.