Skip to main content

Technical Example: Multi-Factor Authentication

Content complexity
This rating relates to the complexity of the advice and information provided on the page.

Before you begin

Review the Small Business Cloud Security Guides introduction before you use this technical example. The introduction includes steps you should take before you begin, including:

  1. Check that you have a compatible Microsoft 365 subscription. This technical example requires a subscription to any Microsoft 365 Business plan, or any edition of Azure Active Directory.
  2. Enable security defaults in Azure Active Directory. Microsoft has published guidance on enabling ‘Security defaults’
  3. Create at least two backup administrator accounts to be used for emergency access and store the credentials offline in a secure location such as a fireproof safe. Only authorised individuals should have access to these credentials.

The steps taken in this technical example require an account with ‘Security Administrator’, ‘Conditional Access Administrator’ or ‘Global Administrator’ privileges.

Why you should implement multi-factor authentication

Multi-factor authentication (MFA) makes it harder for adversaries to use compromised user credentials to access an organisation’s systems. It is one of the most important cyber security measures an organisation can implement.  

The following steps leverage Microsoft’s ‘Security defaults’ to enable MFA for your tenancy while minimising the intrusion of MFA prompts to user workflow. MFA will be prompted for administrative activities and when Microsoft detects a higher risk sign-in with a user’s account credentials. This reduces the chances of account compromise and minimises the scope of damage if compromise occurs. Implementing this technical example in your organisation’s Microsoft 365 environment will provide significant protection against account compromise attacks.

Requirements for MFA

This technical example is adapted from Essential Eight maturity level one. It is designed to meet the following requirements:

  • MFA is used by an organisation's users if they authenticate to their organisation’s internet-facing services.
  • MFA is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's sensitive data.
  • MFA (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's non-sensitive data.
  • MFA is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services.

What this technical example covers

This technical example demonstrates an MFA implementation for Microsoft 365 applications using Azure Active Directory security defaults.

Organisations that use other third-party internet-facing services will need to ensure that those services also have MFA enabled.

MFA should be required by default for all organisational users. If you are unsure whether MFA should be implemented for a particular user, consider if that user can access sensitive data or perform sensitive actions on your network, if they can, they should likely be considered an organisational user and MFA should be required.

Technical Example

  • Ensure that you have enabled security defaults in Azure Active Directory, as specified in the ‘before you begin’ section. The Azure Active Directory security defaults meet the broad intent of the ACSC’s Essential Eight maturity level one guidance for MFA. No further configuration is required after confirming that security defaults are enabled.

Known limitations

  • In this technical example, the business only has internet-facing services hosted by its Microsoft 365 subscription. There are no non-organisational users in this example.
  • Microsoft’s security defaults are generally unable to be tweaked with granular configuration. Creating exemptions may result in broader loss of security posture. An organisation may choose to configure their own granular settings after gaining maturity in operating their system and disable the security defaults. Consider following existing Microsoft guidance on configuring Conditional Access policies.
  • One risk with the security defaults is that users are allowed two weeks to set up MFA. This means that there is a period when a new user is not protected by MFA. This presents an opportunity to attackers to reuse stolen credentials on new accounts.


Was this information helpful?
Was this information helpful?

Thanks for your feedback!


Tell us why this information was helpful and we’ll work on making more pages like it