How do I enforce MFA for all users of a SaaS?
MFA at the vendor side is a separate setting from MFA on your M365 account. Only 'required' gives real assurance.
Try this first
- 1Check the vendor's admin settings for a 'Require MFA for all users' toggle. If it exists, use it.
- 2No tenant-wide toggle? Then check per user whether MFA is on; click through and keep a list.
- 3Under SSO via M365: M365's MFA covers the sign-in. But the vendor cannot 'see' it unless they accept an MFA claim.
- 4For admins specifically: make MFA required even if regular users get a grace period.
- 5Record this per SaaS in your register; auditors increasingly ask.
When to bring us in
If the SaaS does not offer MFA on the tier you have: ask for advice on whether an upgrade is justified, or whether the SaaS no longer fits.
See also
- New hire has an account but cannot reach Outlook or TeamsAn M365 account without a license is an empty shell. Assigning takes a few clicks, but picking the right plan pays off long-term.
- Employee left, but their email must be retainedPulling the license straight away starts a 30-day timer on the mailbox. The right route keeps access to the mail without paying for the license.
- We pay for licenses nobody usesBetween leavers, duplicate plans, and test accounts there is often 10-20% wasted license spend. A usage report exposes it fast.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.