Try this first
- 1First check who currently has no MFA: Microsoft 365 admin > Active users > MFA Status column, or via Entra > Users > Authentication Methods per user.
- 2Announce two weeks in advance to the whole team. Provide the instructions and pick a fixed enrollment day.
- 3Turn on Security Defaults (Entra > Properties > Security defaults) if you do not have Conditional Access yet. That enforces MFA for all users.
- 4For exceptions (POS, shared mailbox account, scanners): use service accounts with tight Conditional Access policies, or place those accounts under a separate CA exclusion. Do NOT use app passwords: Microsoft has disabled basic auth and since late 2024 you can no longer create new app passwords. Replace existing ones with OAuth flows before Microsoft fully disables them.
- 5Plan a fallback slot for people who get stuck on enrollment day. Do not let anyone be locked out on a Tuesday morning.
When to bring us in
If you have Conditional Access licenses (Entra ID P1/P2): let us write a cleaner policy than Security Defaults, for example no MFA on office IP but yes outside. Just a bit more comfortable.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.