MFA is the single highest-value security control you can deploy, and most rollouts fail socially, not technically. The plan that works: audit every account first, use an authenticator app (not SMS), enforce through Conditional Access rather than per-user settings, communicate before you enforce, and allow zero exceptions, especially for directors. Done properly it takes two to four weeks and about ninety seconds per person.
Microsoft’s research puts it bluntly: multi-factor authentication blocks over 99% of automated account-compromise attacks. There is no other control with that return for that effort. And yet MFA rollouts stall in businesses everywhere, almost never for technical reasons. They stall because someone senior found it annoying, an exception was granted, and the exception spread.
Start with the account audit, not the announcement
Before any policy is switched on, list every account that can be reached from the internet: Microsoft 365 users, shared mailboxes, admin accounts, remote access, cloud apps, and the service accounts nobody has looked at since they were created. The rollouts that go wrong skip this step, enforce MFA on “everyone”, and discover on Monday that the scanner-to-email account, the accounts package integration, and the MD’s ancient iPad all broke.
Service accounts need individual decisions: modern authentication with app passwords retired, or replaced with a mechanism that does not depend on a password sitting in a config file.
Pick the right second factor
Not all MFA is equal:
- Authenticator app with number matching is the right default: free, phishing-resistant enough for most threat models, and faster in daily use than people expect.
- SMS codes are better than nothing but are the weakest option (SIM-swap and interception risks), and feel slower and clunkier, which fuels the resentment you are trying to avoid.
- Hardware keys (FIDO2) are worth it for admins, finance, and anyone who can move money.
The method you pick shapes the mood of the whole rollout. An app prompt takes two seconds; typing an SMS code takes twenty.
Staff without company phones can use the app on a personal device (it reveals nothing about the phone to the company), a hardware token, or a desk-phone call as a fallback. There is an answer for every objection; have them ready before the questions arrive.
Enforce with Conditional Access, not goodwill
Per-user MFA settings are how partial deployments happen: they rely on someone remembering to tick a box for every joiner, forever. Conditional Access policies enforce MFA structurally: every account, every sign-in that matters, with sensible carve-outs handled by policy (trusted locations used sparingly, if at all) rather than by individual exemption.
The most common failure is also the most predictable: the senior person who finds it annoying gets opted out. Attackers know this pattern, and the opted-out director is the highest-value account in the building. Partial MFA also fails a Cyber Essentials assessment outright, as we covered in the six things that fail most assessments. Zero exceptions is not zealotry; it is the entire point.
Set up one or two break-glass accounts (emergency admin accounts excluded from Conditional Access, with very long stored credentials and alerting on any use) so a policy mistake cannot lock the business out of its own tenant.
Communicate before you enforce
The technical work is a day. The social work is the fortnight around it:
- Announce a week ahead: what is changing, why (one sentence about account takeover is enough), and the date.
- Registration window before enforcement: let people enrol at their own pace for a few days, with a walkthrough for anyone who wants help.
- Enforce in groups: a pilot group first (include at least one director, visibly), then the rest. Problems surface in the pilot where they are cheap.
- Be around on enforcement day: most “issues” are a phone upgrade or a deleted app, fixed in minutes when someone answers quickly.
The honest summary
MFA is the cheapest insurance in IT: over 99% of automated attacks stopped by a control that costs a few seconds a day. The rollout succeeds or fails on three decisions made before anyone sees a prompt: app not SMS, Conditional Access not per-user toggles, and no exceptions regardless of seniority. Get those right and the mutiny never materialises; most staff shrug and get on with it within the week.
Account audit first, including service accounts and the forgotten integrations. Then Conditional Access design, break-glass accounts, a pilot group, staff comms, and enforcement in waves. A typical SMB is fully enforced inside two to four weeks, and it counts directly toward the MFA requirement in Cyber Essentials.