At a glance
- Turn on multi-factor authentication (MFA) for every user — especially admins.
- Use the Microsoft Authenticator app instead of SMS when possible.
- Block legacy sign-in so passwords alone cannot bypass MFA.
- Takes about 10–15 minutes for a small tenant if you follow the steps below.
Who this guide is for
Office managers or IT contacts who administer Microsoft 365 for 5–100 users in Thailand or Singapore. You need Global Administrator or Authentication Administrator rights.
Why MFA matters
Most business email compromises start with a stolen password (phishing or reused passwords). MFA stops most automated attacks because the attacker also needs your phone or security key.
Microsoft and insurers increasingly expect MFA for any company handling customer or payroll data.
Step 1 — Open Entra security defaults or Conditional Access
- Sign in to Microsoft Entra admin center.
- Go to Protection → Security defaults (simplest for small tenants).
If Security defaults are available:
- Set Security defaults to Enabled (forces MFA registration for all users).
If you already use Conditional Access (Business Premium / E3+):
- Create a policy: All users → All cloud apps → Require authentication strength (MFA).
Step 2 — Ask users to register MFA
Each person registers once:
- Go to https://aka.ms/mfasetup while signed in.
- Add Microsoft Authenticator (recommended) or a phone number.
- Approve the test prompt on the phone.
Tip for staff: Show them one screenshot walkthrough in a short Teams meeting — adoption is faster than email alone.
Step 3 — Protect admin accounts
- Create dedicated admin accounts (not daily email).
- Require MFA on every admin.
- Avoid sharing one Global Admin password in a chat group.
Step 4 — Block legacy authentication
Legacy protocols (old POP/IMAP clients) can skip MFA.
- Entra → Protection → Conditional Access
- Policy: block Legacy authentication clients
(Requires Entra ID P1 — included in Business Premium and Enterprise E3.)
If you are on Business Standard only, disable POP/IMAP in individual mailboxes and move users to modern Outlook.
Common problems
| Symptom | Fix |
|---|---|
| User locked out | Admin resets MFA methods in Entra → Users → Authentication methods |
| Authenticator not prompting | Check phone time sync; reinstall app |
| Scanner/app breaks | Use app password or move app to modern auth — ask your partner |
| Too many SMS costs | Switch users to Authenticator app |
Plans and MFA features
| Plan | MFA registration | Conditional Access |
|---|---|---|
| Business Basic | Yes | Limited |
| Business Standard | Yes | Limited |
| Business Premium | Yes | Full (Intune + CA) |
| Enterprise E3/E5 | Yes | Full |
See security checklist for SMEs.
Summary
Enable MFA tenant-wide, register Authenticator for each user, harden admin accounts, and block legacy sign-in where your license allows. This is the highest-return security step after buying the right license.
Next steps
Common questions
Does MFA work with all Microsoft 365 plans?
Yes. MFA registration is available on all plans from Business Basic to Enterprise E5. Conditional Access policies (which enforce MFA on specific apps) require Business Premium, Enterprise E3, or E5.
What if a user loses their phone with the Authenticator app?
An admin can reset the user's MFA methods in Entra ID → Users → Authentication methods. The user will then re-register on their new device.
Can I use SMS instead of the Authenticator app?
Yes, but Microsoft recommends the Authenticator app over SMS. SMS is vulnerable to SIM-swapping attacks and may incur costs for users.
How long does it take to enable MFA for a small business?
For a tenant with 5–20 users, enabling Security defaults and having users register takes about 15–30 minutes total.
