Jordan Flynn KB
Security

MFA Enforcement Strategies

Approaches to rolling out multi-factor authentication across an organisation.

Rollout Strategy

Start MFA rollout with privileged accounts — Global Admins, service accounts, and anyone with elevated access. Then extend to all users in phases, grouped by department or location. Use Entra ID Conditional Access to enforce MFA based on risk signals, location, or specific applications.

  • Phase 1 — Global Admins and Privileged Role holders
  • Phase 2 — IT staff and service desk
  • Phase 3 — Finance, HR, and other sensitive departments
  • Phase 4 — All remaining users, by office location or region
  • Phase 5 — Guest and external accounts

Authentication Methods

Provide users with clear setup instructions and a reasonable grace period for registration. Not all MFA methods are equal — choose based on your security requirements and user population.

  • Microsoft Authenticator app — push notifications, passwordless capable
  • FIDO2 security keys — hardware-based, phishing-resistant
  • Windows Hello for Business — biometric or PIN tied to the device TPM
  • SMS / voice call — widely supported but weakest option
  • Hardware OATH tokens — for users without smartphones

Warning

SMS is vulnerable to SIM-swapping attacks. Avoid using SMS as the primary MFA method for privileged accounts. Prefer the Authenticator app or FIDO2 security keys for any account with elevated access.

Monitoring Adoption

Monitor the authentication methods registration report to track adoption progress and identify holdouts.

Check MFA registration status for all users
Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All"

Get-MgReportAuthenticationMethodUserRegistrationDetail |
  Select-Object UserPrincipalName, IsMfaRegistered, DefaultMfaMethod |
  Export-Csv "C:\MFA_Status.csv" -NoTypeInformation

Tip

Set a Conditional Access policy that forces MFA registration within a grace period. After the deadline, users who have not registered are blocked until they complete setup — this drives adoption without constant reminders.

Blocking Legacy Authentication

Legacy authentication protocols bypass MFA entirely. Blocking them is a critical companion step to any MFA rollout.

Block legacy authentication with Conditional Access
# This policy blocks sign-ins using legacy protocols
# (POP, IMAP, SMTP, ActiveSync with basic auth)
# Deploy in report-only mode first, then enforce

New-MgIdentityConditionalAccessPolicy -BodyParameter @{
    DisplayName = "Block Legacy Authentication"
    State       = "enabledForReportingButNotEnforced"
    Conditions  = @{
        ClientAppTypes = @("exchangeActiveSync", "other")
        Users          = @{ IncludeUsers = @("All") }
    }
    GrantControls = @{
        BuiltInControls = @("block")
        Operator        = "OR"
    }
}

Warning

Before enforcing the legacy auth block, check the Entra sign-in logs for active legacy protocol usage. Some older printers, scanners, and LOB applications rely on SMTP basic auth and will break.

BitLocker Deployment

Encrypting endpoints with BitLocker managed through Intune.

Scripting

Automation and PowerShell notes for repeatable IT operations.

On this page

Rollout StrategyRecommended Rollout OrderAuthentication MethodsMonitoring AdoptionBlocking Legacy Authentication