How to Set Up Microsoft 365 Multi-Factor Authentication for Your Business

Business Email Compromise (BEC) is one of the fastest growing cyber threats facing Malaysian companies. Attackers gain access to a Microsoft 365 account, read months of emails to understand the business, then impersonate a director or finance manager to redirect payments to fraudulent accounts.

The Malaysian Communications and Multimedia Commission (MCMC) and CyberSecurity Malaysia have both issued repeated warnings about the scale of BEC losses in Malaysia, with individual incidents costing businesses anywhere from tens of thousands to millions of ringgit.

Multi-Factor Authentication (MFA) stops the vast majority of these attacks cold. Microsoft’s own research indicates that MFA blocks over 99.9 percent of automated account compromise attempts. If you have Microsoft 365 and you are not using MFA, you are leaving your business exposed.

This guide walks you through enabling and configuring MFA for your entire organisation step by step.

IMPORTANT:  Before enabling MFA organisation-wide, read the entire guide. Enabling it without setting up recovery options or communicating with your team can lock users out of their accounts. Plan a 30-minute team briefing before rollout.

What is Multi-Factor Authentication?

MFA requires users to provide two or more verification factors to sign in to an account. Even if an attacker has your password, they cannot access the account without the second factor.

Microsoft 365 supports several second factors:

  • Microsoft Authenticator app on a smartphone (recommended, most secure)
  • SMS one-time passcode sent to a phone number (acceptable but less secure than app)
  • Voice call to a phone number (fallback option)
  • Hardware security keys such as YubiKey (highest security, best for finance and executive accounts)
TIP:  Always use the Microsoft Authenticator app rather than SMS codes. SMS can be intercepted through SIM-swapping attacks. The Authenticator app generates time-based codes that cannot be intercepted remotely.

Before You Start: Prerequisites

You will need:

  • Global Administrator access to your Microsoft 365 tenant
  • All staff to have the Microsoft Authenticator app installed on their smartphone (available free on iOS and Android)
  • A list of all active user accounts in your organisation
  • A plan for any service accounts or shared mailboxes that may need special handling
IMPORTANT:  Service accounts used for automated email sending, backup software or integrations should be excluded from MFA initially or configured with app passwords. Contact Cybergate if you are unsure which accounts to exclude.

Method 1: Enable Security Defaults (Easiest, Recommended for Most SMEs)

Microsoft Security Defaults is a free setting that enables MFA for all users automatically. It is the fastest way to get baseline protection without complex configuration.

Step 1: Access the Azure Active Directory Portal

  1. Sign in to admin.microsoft.com with your Global Administrator account
  2. Click the Admin centres menu in the left sidebar
  3. Select Azure Active Directory (or Microsoft Entra ID in newer tenants)
  4. In the left panel click Properties

Step 2: Enable Security Defaults

  • Scroll to the bottom of the Properties page
  • Click Manage Security Defaults
  • Toggle Security Defaults to Enabled
  • Click Save

That is all. Within 14 days, all users in your organisation will be prompted to register for MFA at their next sign-in.

TIP:  Security Defaults blocks legacy authentication protocols automatically. This may affect older email clients such as Outlook 2010 or 2013 that do not support modern authentication. Users on these old clients will need to upgrade to Outlook 2016 or later, or the Outlook web app.

Method 2: Conditional Access Policies (Recommended for Businesses Needing Flexibility)

If you need more control, such as allowing trusted office IP addresses without MFA while requiring it for remote access, Conditional Access is the right approach. This requires Microsoft 365 Business Premium or Azure AD Premium P1 licensing.

Step 1: Create a Conditional Access Policy

  • In Azure Active Directory click Security in the left panel
  • Click Conditional Access
  • Click New Policy and give it a name such as Require MFA for All Users

Step 2: Configure Assignments

  1. Under Users click All Users (or select specific groups to roll out gradually)
  2. Under Cloud Apps click All Cloud Apps
  3. Under Conditions you can optionally exclude your office IP address range under Locations

Step 3: Configure Access Controls

  1. Under Grant click Grant Access
  2. Tick Require Multi-Factor Authentication
  3. Click Select

Step 4: Enable the Policy

  1. Set the policy state to On (start with Report-Only to test impact before enabling)
  2. Click Create
TIP:  Use Report-Only mode for the first week. This shows you which users would have been affected without actually enforcing MFA. Review the sign-in logs to catch any service accounts or integrations that need to be excluded before going live.

How to Register the Microsoft Authenticator App (Staff Instructions)

Share these steps with your staff before rollout:

  • Download the Microsoft Authenticator app from the App Store or Google Play
  • Sign in to office.com or outlook.com on a computer
  • When prompted to set up additional security verification, select Mobile App
  • Open the Authenticator app and tap the plus icon to add a new account
  • Select Work or School Account and scan the QR code shown on the computer screen
  • Complete verification by approving the test notification sent to the app
IMPORTANT:  Users should set up the Authenticator app on a personal phone if possible, not a company phone that might be reset or reassigned. If a user loses access to their authentication device, a Global Administrator must reset their MFA registration from the admin portal.

Setting Up Recovery for Locked Out Users

Before enforcing MFA, prepare for the inevitable situation where a staff member cannot sign in because they lost their phone, got a new number or are travelling without their registered device.

Create an Emergency Access Account

  • In Azure Active Directory go to Users and create a new account called emergency.admin@yourdomain.com
  • Assign Global Administrator role
  • Exclude this account from all MFA and Conditional Access policies
  • Generate a long complex password and store it securely offline in a physical safe
  • Never use this account for day-to-day administration

Reset a User MFA Registration

  • Go to admin.microsoft.com and click Users then Active Users
  • Find the affected user and click their name
  • Under the Account tab click Manage Multi-Factor Authentication
  • Find the user in the list and click Manage User Settings
  • Tick Require Selected Users to Provide Contact Methods Again and click Save
  • The user will be prompted to re-register MFA at their next sign-in

Monitoring MFA Sign-In Activity

After enabling MFA, monitor sign-in activity regularly for suspicious patterns.

  • In Azure Active Directory click Sign-in Logs under Monitoring
  • Filter by Failed sign-ins and review for unusual locations or repeated failures
  • Set up alerts in Microsoft Defender for Cloud Apps for impossible travel events, such as a user signing in from Malaysia and the UK within 30 minutes
TIP:  Microsoft 365 Business Premium includes Microsoft Defender for Office 365 which adds anti-phishing, safe links and safe attachments on top of MFA. For Malaysian businesses handling financial transactions or personal data, Business Premium is strongly recommended over Business Standard.

MFA is a Starting Point, Not the Finish Line

MFA significantly reduces your risk of account compromise but it is one layer in a complete security posture. For comprehensive Microsoft 365 security, Malaysian businesses should also consider:

  • Microsoft Defender for Business or Defender for Office 365 for email threat protection
  • Data Loss Prevention (DLP) policies to prevent sensitive data being emailed externally
  • Privileged Identity Management to control Global Administrator access
  • Regular security awareness training for staff on phishing recognition
  • Microsoft Secure Score review and remediation on a quarterly basis

Cybergate Technology manages Microsoft 365 security configurations for businesses across Malaysia. If you need help enabling MFA, reviewing your Microsoft Secure Score or deploying Defender for Business, contact our team for a free Microsoft 365 security assessment.

Previous Post
What is the 3-2-1 Backup Rule and Why Every Malaysian Business Needs It

Leave a Comment