At a glance
- Turn on multi-factor authentication (MFA) for every user — especially admins.
- Use the Microsoft Authenticator app instead of SMS when possible.
- Block legacy sign-in so passwords alone cannot bypass MFA.
- Takes about 10–15 minutes for a small tenant if you follow the steps below.
Who this guide is for
Office managers or IT contacts who administer Microsoft 365 for 5–100 users in Thailand or Singapore. You need Global Administrator or Authentication Administrator rights.
Why MFA matters
Most business email compromises start with a stolen password (phishing or reused passwords). MFA stops most automated attacks because the attacker also needs your phone or security key.
Microsoft and insurers increasingly expect MFA for any company handling customer or payroll data.
Step 1 — Open Entra security defaults or Conditional Access
- Sign in to Microsoft Entra admin center.
- Go to Protection → Security defaults (simplest for small tenants).
If Security defaults are available:
- Set Security defaults to Enabled (forces MFA registration for all users).
If you already use Conditional Access (Business Premium / E3+):
- Create a policy: All users → All cloud apps → Require authentication strength (MFA).
Step 2 — Ask users to register MFA
Each person registers once:
- Go to https://aka.ms/mfasetup while signed in.
- Add Microsoft Authenticator (recommended) or a phone number.
- Approve the test prompt on the phone.
Tip for staff: Show them one screenshot walkthrough in a short Teams meeting — adoption is faster than email alone.
Step 3 — Protect admin accounts
- Create dedicated admin accounts (not daily email).
- Require MFA on every admin.
- Avoid sharing one Global Admin password in a chat group.
Step 4 — Block legacy authentication
Legacy protocols (old POP/IMAP clients) can skip MFA.
- Entra → Protection → Conditional Access
- Policy: block Legacy authentication clients
(Requires Entra ID P1 — included in Business Premium and Enterprise E3.)
If you are on Business Standard only, disable POP/IMAP in individual mailboxes and move users to modern Outlook.
Common problems
| Symptom | Fix |
|---|---|
| User locked out | Admin resets MFA methods in Entra → Users → Authentication methods |
| Authenticator not prompting | Check phone time sync; reinstall app |
| Scanner/app breaks | Use app password or move app to modern auth — ask your partner |
| Too many SMS costs | Switch users to Authenticator app |
Plans and MFA features
| Plan | MFA registration | Conditional Access |
|---|---|---|
| Business Basic | Yes | Limited |
| Business Standard | Yes | Limited |
| Business Premium | Yes | Full (Intune + CA) |
| Enterprise E3/E5 | Yes | Full |
See security checklist for SMEs.
Summary
Enable MFA tenant-wide, register Authenticator for each user, harden admin accounts, and block legacy sign-in where your license allows. This is the highest-return security step after buying the right license.