We know that in today's workplace environment and threat landscape, relying solely on passwords for user authentication is no longer enough. User credentials are among the most targeted assets by malicious actors and, unfortunately, are also among the most easily compromised. With Microsoft 365 and Azure forming the backbone of digital operations for thousands of UK organisations, safeguarding access to these platforms (and the broader application ecosystem) is imperative.
Multi-factor authentication (or MFA) remains one of the most effective yet underutilised security controls organisations have in their security weaponry. However widespread adoption is often hindered by lack of awareness or underestimation of its importance... until a breach occurs that is. For those that do adopt, the issues that arise are often concerned with the incorrect configuration and deployment of multi-factor authentication – rather than the tool itself. And that's easy to solve.
The end of password-only security.
Despite overwhelming evidence supporting its effectiveness, many organisations still rely on single-factor authentication. Microsoft reports that MFA can block more than 99.2% of account compromise attacks. Nevertheless, countless systems remain secured solely by a username and password – a method increasingly inadequate in the face of modern cyber threats.
This continued reliance exposes organisations to a range of sophisticated attacks, including phishing, brute force, and credential stuffing, all of which are designed to harvest user credentials. Once attackers gain access, they can move laterally within the network, exfiltrate sensitive data, and severely disrupt operations. Microsoft and the SANS Institute have identified several recurring vulnerabilities:
Enforcing MFA isn't just best practice – it's essential.
Real-world consequences of weak authentication.
The risks of insufficient authentication controls are not just theoretical. Earlier this year, Advanced Computer Software Group, a key IT service provider to the NHS, was fined £3.07 million by the Information Commissioner’s Office for security deficiencies. Attackers exploited a customer account lacking MFA, compromising the personal information of 79,404 individuals, including access instructions for 890 home-care patients. The impact was severe: disruption of critical NHS services, inaccessibility of patient records by healthcare professionals, reputational damage, and significant financial penalties – all stemming from a single account without MFA.
Why MFA matters – and makes a difference.
MFA adds an essential layer of protection beyond passwords. Even if a user's credentials are stolen, attackers must also bypass a second authentication factor – typically a mobile authenticator app, hardware token, or biometric verification. This drastically reduces the likelihood of unauthorised access.
Research from Microsoft found that more than 99.9% of compromised accounts don't have MFA, 'which leaves them vulnerable to password spray, phishing, and password reuse, making them susceptible to phishing, password spraying, and other common attack vectors'.
Entra ID and Microsoft 365 provide robust support for multiple MFA methods. Integration can be enhanced through Conditional Access Policies, which allow administrators to enforce MFA based on contextual risk- such as unknown device logins or anomalous geolocation attempts- ensuring access is limited to legitimate users only.
Enforce it, don’t just recommend it.
Voluntary MFA enrolment often results in low adoption rates. Security must not rely on user discretion. To mitigate risk effectively, MFA must be made mandatory across all account types – including administrators, service accounts, and third-party integrations. It's worthy to note that Microsoft have enforced mandatory MFA for all accounts that sign in to the Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center.
While enforcing MFA may appear resource-intensive initially, the return on investment in terms of breach prevention, compliance assurance, and operational continuity is significant. For context, implementing and configuring MFA for a 100-seat environment is estimated to cost approximately £1,000-£3,000, subject to specific organisational requirements and infrastructure (note the small print: additional T&Cs may apply).
And finally.
In a climate where cyberattacks are both prevalent and increasingly sophisticated, MFA is no longer optional, it is a foundational requirement for any modern security posture. By enforcing it proactively, organisations can significantly reduce their exposure to risk and ensure greater resilience across their digital estate.
If you're ready to secure your business with multi-factor authentication, M365 Optimise can help you spot unregistered MFA users and security risks quickly. It's the most cost effective way to configure and deploy MFA across your entire organisation – it also helps reduce Microsoft licence overspend, and ensures users are compliant and correctly licensed.
Drop us a message and we’ll be in touch – or if you'd prefer a quick chat, book a call.