Multi-factor authentication (MFA) is the single most effective control you can deploy against account takeover. Microsoft's own data shows it blocks the overwhelming majority of automated identity attacks. This guide covers two ways to enforce it tenant-wide: security defaults for simplicity, and Conditional Access for control.
Option A: Security defaults (fastest)
If you are on a baseline plan and want MFA enforced everywhere with minimal effort, enable security defaults. In the Microsoft Entra admin center, go to Identity → Overview → Properties → Manage security defaults and switch them on. This requires all users to register for MFA and prompts them when risk is detected.
Option B: Conditional Access (recommended)
Conditional Access (requires Entra ID P1 or Business Premium) gives you granular control. Create a policy targeting All users, for All cloud apps, with the grant control "Require multifactor authentication". Exclude a single break-glass admin account so you can never lock yourself out.
Step 1: Create a break-glass account first
Before enforcing anything, create an emergency access account with a long, randomly generated password stored offline. Exclude it from every MFA policy. If your MFA provider has an outage, this account is your way back in.
Step 2: Roll out in stages
Do not flip MFA on for everyone at 9am Monday. Start with the IT team, then a pilot group, then the rest of the company. Set the policy to "Report-only" first to see who would be prompted, then move it to "On" once you are confident registration is complete.
Step 3: Push users toward the Authenticator app
SMS-based codes are vulnerable to SIM swapping. Configure authentication methods so the Microsoft Authenticator app (with number matching) is the default. Number matching defeats MFA fatigue attacks where users blindly approve a flood of push prompts.
Step 4: Verify and document
Use the Authentication methods activity report to confirm registration coverage. Document your break-glass procedure, where the credentials live, and who is authorized to use them. Review the report monthly to catch new hires who have not yet registered.
MFA is non-negotiable for any business handling email, files, or customer data in the cloud. Done in stages with a break-glass account, the rollout is painless and the security gain is enormous.
Korur Security Team
Korur Security Team