Microsoft 365 MFA Best Practices: Beyond Just Turning It On

MFA Is Not a Set-It-and-Forget-It Solution

Yes, Multi-Factor Authentication blocks 99.9% of automated attacks. Microsoft says it, and it is true. But attackers have adapted. MFA fatigue attacks, SIM swapping, adversary-in-the-middle (AiTM) phishing, and token theft all bypass basic MFA implementations.

Turning on MFA was the right first step. Now it is time to configure it properly.

Stop Using Per-User MFA — Switch to Conditional Access

Microsoft offers two ways to enforce MFA: per-user MFA (the legacy method) and Conditional Access-based MFA. The difference matters significantly.

Per-user MFA:

• Binary: on or off per user
• No context awareness (same enforcement whether the user is on a trusted device in the office or an unknown device in another country)
• Being deprecated by Microsoft
• Cannot integrate with risk-based policies

Conditional Access MFA:

• Context-aware: evaluates sign-in risk, device compliance, location, application, and user risk
• Granular: different policies for different scenarios
• Integrates with Azure AD Identity Protection
• Supports phishing-resistant authentication methods
• The future of Microsoft identity security

Migration path: If you are still on per-user MFA, plan the migration to Conditional Access. Disable per-user MFA for users as you enable equivalent Conditional Access policies.

Block Legacy Authentication Protocols

Here is a fact that catches many admins off guard: legacy authentication protocols like POP3, IMAP, and SMTP AUTH do not support MFA. If legacy auth is enabled, attackers can bypass MFA entirely using stolen credentials.

What to do:

• Create a Conditional Access policy that blocks legacy authentication for all users
• Check sign-in logs for any applications still using legacy auth before blocking
• Work with users who have older email clients to migrate to modern authentication
• Monitor for block events after implementing the policy to catch anything you missed

Implement Phishing-Resistant MFA Methods

Not all MFA methods are equal. Here is the hierarchy from weakest to strongest:

1. SMS/Voice call (weakest) — vulnerable to SIM swapping and SS7 attacks
2. Email OTP — vulnerable if the email account is compromised
3. Microsoft Authenticator push notifications — vulnerable to MFA fatigue attacks
4. Microsoft Authenticator with number matching — significantly more resistant to fatigue attacks
5. FIDO2 security keys (strongest) — phishing-resistant, hardware-based, no shared secrets
6. Windows Hello for Business — phishing-resistant, biometric or PIN-based, device-bound

Recommendation: At minimum, enable number matching and additional context in Microsoft Authenticator. For high-value accounts (admins, executives, finance), require FIDO2 keys or Windows Hello for Business.

Prevent MFA Fatigue Attacks

MFA fatigue (also called MFA bombing or push spam) is when attackers repeatedly trigger MFA prompts until the user approves one out of frustration or confusion. This was the technique used in the 2022 Uber breach.

Prevention measures:

• Enable number matching: Users must type the number displayed on the sign-in screen into the Authenticator app (instead of just tapping “Approve”). This prevents blind approval.
• Enable additional context: Shows the user the app name and geographic location of the sign-in attempt, making it obvious when a prompt is not legitimate.
• Set sign-in frequency policies: Limit how often users are prompted to re-authenticate to reduce prompt fatigue while maintaining security.
• Configure risk-based policies: Automatically block or require password change when sign-in risk is detected as high.

Create a Break-Glass Emergency Access Account

If your Conditional Access policies lock out all admins (due to misconfiguration, Azure AD outage, or compromised MFA), you need a way back in.

Break-glass account requirements:

• Cloud-only account (not synced from on-premises AD)
• Global Admin role
• MFA enabled, but excluded from Conditional Access policies
• Uses a long, complex password stored in a physical safe or secure vault
• Monitored with alerts for any sign-in activity
• Tested periodically to confirm it works

Monitor MFA Coverage and Gaps

Having MFA policies does not mean every user is actually covered. Configuration drift, exclusion groups, and new user onboarding can create gaps.

Regular checks:

• Run the Azure AD sign-in logs filtered for “MFA not satisfied” to find unprotected sign-ins
• Review Conditional Access policy exclusion groups monthly
• Check for users registered for MFA vs. users who have actually completed MFA registration
• Review the Authentication Methods registration report for users with only weak methods registered

Audit Your MFA Configuration Automatically

Checking MFA status across all users, reviewing Conditional Access policies, identifying legacy auth usage, and verifying phishing-resistant method adoption is a lot of work — especially across multiple tenants.

365 Security Assessment checks all of these MFA configurations as part of its automated security audit. It identifies users without MFA, detects legacy authentication, reviews Conditional Access policy gaps, and flags accounts using weak authentication methods.

Start your free assessment to see exactly where your MFA gaps are.