mfa-rollout guide hero image

Help Guide for Multi-Factor Authentication Rollout for Microsoft 365 and Google Workspace

8 min read

A step-by-step guide to rolling out multi-factor authentication (MFA) for small businesses using Microsoft 365 or Google Workspace. Learn what to turn on first and how to avoid common pitfalls.

Written by CTC Editorial Editorial Team

Why MFA Is Non-Negotiable

Let's start with a stark fact: Microsoft reports that multi-factor authentication (MFA) blocks 99.9% of automated account attacks.

That's not a typo. Just adding a second verification step—something beyond your password—stops almost every automated attempt to break into your accounts.

Yet countless small businesses still rely on passwords alone. If that's you, this guide will help you fix it.

What MFA Actually Does

MFA requires two or more "factors" to prove your identity:

1. **Something you know** (password)

2. **Something you have** (phone, security key)

3. **Something you are** (fingerprint, face)

A hacker who steals or guesses your password still can't get in without the second factor. It's like having two locks on your door—a burglar needs to pick both.

Common Second Factors

| Method | Security Level | Convenience | Works Offline |

|--------|---------------|-------------|---------------|

| Authenticator app | High | Good | Yes |

| Push notification | High | Excellent | No |

| Hardware security key | Very High | Medium | Yes |

| SMS text message | Medium | Good | Yes |

| Email code | Low | Medium | No |

| Phone call | Medium | Poor | Yes |

**Our recommendation**: Start with authenticator apps. They're free, widely supported, and more secure than SMS.

Before You Start: Preparation

1. Check Your Admin Account First

Do NOT start enabling MFA for everyone until your admin account is properly set up:

- Enable MFA on the admin account

- Set up multiple recovery methods (phone, email, backup codes)

- Test that you can log in successfully

- Store backup codes in a safe place (not just on your computer)

Getting locked out of your admin account is a nightmare. Do this step carefully.

2. Create a Rollout Plan

Don't enable MFA for everyone at once. Plan a phased approach:

**Week 1**: IT admins and early adopters

**Week 2**: Management and anyone handling sensitive data

**Week 3**: Remaining staff

This gives you time to learn from problems before they affect everyone.

3. Communicate Clearly

Send staff a heads-up before they need to take action:

> **Subject: Important: Setting Up Two-Factor Authentication This Week**

>

> To improve security, we're enabling two-factor authentication (MFA) for everyone's account. This means you'll need your phone to verify your identity when logging in.

>

> **What you need to do:**

> 1. Download the [Microsoft Authenticator / Google Authenticator] app on your phone

> 2. When prompted, follow the setup instructions

> 3. Keep your phone handy when logging in for the first time

>

> **When:** You'll receive the setup prompt starting [date]

>

> **Questions?** Contact [name/email]

4. Handle Exceptions

Some situations need special handling:

- **Staff without smartphones**: Consider hardware security keys (YubiKey) or phone call verification

- **Shared computers**: Decide whether to enable "remember this device" options

- **Conference room accounts**: May need separate policy

- **Service accounts**: Some may not support MFA, may need app passwords

Microsoft 365 MFA Setup

Enabling Security Defaults (Easiest Method)

Microsoft's Security Defaults turns on MFA for everyone with minimal configuration:

1. Go to **Azure Active Directory** (portal.azure.com)

2. Select **Properties**

3. Select **Manage security defaults**

4. Set **Enable Security Defaults** to **Yes**

5. **Save**

**What this does:**

- Requires MFA for all users and admins

- Blocks legacy authentication (old protocols that bypass MFA)

- Requires admins to verify via Microsoft Authenticator

**Limitation**: No customisation. All or nothing.

Conditional Access (More Control)

For more flexibility, use Conditional Access policies (requires Azure AD Premium P1 or Microsoft 365 Business Premium):

1. Go to **Azure AD** → **Security** → **Conditional Access**

2. Create a new policy

3. **Users**: Select who this applies to (all users, specific groups)

4. **Cloud apps**: All cloud apps, or specific apps

5. **Grant**: Require multi-factor authentication

6. **Enable policy**: On

**Example policies to create:**

- Require MFA for all admin roles (always)

- Require MFA for all users on untrusted networks

- Require MFA for accessing sensitive apps (SharePoint, email)

User Experience: Microsoft 365

When MFA is enabled, users will:

1. Log in with their password as normal

2. See a prompt to set up Microsoft Authenticator

3. Scan a QR code with their phone

4. Approve a test notification

5. Save backup recovery codes

Subsequent logins require password + app approval or code.

Microsoft Authenticator Features

- **Push notifications**: Approve/deny with one tap

- **Number matching**: Confirm the number shown on screen (prevents phishing)

- **Passwordless**: Eventually, skip the password entirely

- **Backup**: Sync to Microsoft account for recovery

Google Workspace MFA Setup

Enabling 2-Step Verification

1. Go to **Admin Console** (admin.google.com)

2. Navigate to **Security** → **Authentication** → **2-Step Verification**

3. Check **Allow users to turn on 2-Step Verification**

4. Set **Enforcement**: Choose your start date

5. Under **Methods**, select which methods to allow

Enforcement Options

| Option | What It Does | Best For |

|--------|--------------|----------|

| Off | 2SV available but not required | Initial testing |

| On from [date] | Required starting on set date | Planned rollouts |

| Enforcement on/Delayed enrollment | Requires within X days of first login | New employees |

User Experience: Google Workspace

When 2-Step Verification is enforced:

1. User logs in with password

2. Prompted to set up 2-Step Verification

3. Chooses method (Google Authenticator, phone, security key)

4. Completes setup with test verification

5. Downloads backup codes

Google's Recommended Methods

Google prompts for this priority order:

1. **Security key** (hardware): Most secure

2. **Google prompts** (push notifications): Convenient and secure

3. **Google Authenticator app**: Reliable backup

4. **SMS/phone call**: Last resort

What to Turn On First

High-Priority Accounts (Immediately)

These need MFA today, not next week:

1. **Global admins / Super admins**: Keys to the kingdom

2. **Billing admins**: Can add charges, change plans

3. **Anyone with access to customer data**: GDPR liability

4. **Email marketing accounts**: Spam from your domain damages reputation

5. **Domain registrar accounts**: DNS hijacking is devastating

Second Wave (Within Two Weeks)

6. **All staff with company email**: Email is the gateway to everything else

7. **Finance staff**: Banking, payroll, invoicing

8. **HR staff**: Access to personal employee data

9. **Anyone with admin rights** to any system

Final Wave (Within One Month)

10. **Everyone else**: No exceptions for "I don't need it"

Handling Common Issues

"I Lost My Phone"

This is the most common support request after MFA rollout.

**For Microsoft 365:**

1. Admin goes to Azure AD → Users → [User] → Authentication methods

2. Remove the old phone

3. User can re-register at aka.ms/mfasetup

Or: User logs in with backup code and adds new device

**For Google Workspace:**

1. Admin goes to Admin Console → Users → [User]

2. Click Security → 2-Step Verification

3. Click "Turn off" to reset

4. User sets up again on next login

**Prevention**: Ensure everyone saves their backup codes during initial setup.

"I Got a New Phone"

**Best approach**: Before wiping the old phone, add the new phone as a second authentication method. Then remove the old one.

**If they already wiped it**: Same process as lost phone (admin reset).

"The App Isn't Working"

Common causes:

- **Clock sync issues**: Authenticator codes are time-based. Phone clock must be accurate.

- **Multiple accounts**: Wrong account selected in the authenticator app.

- **App needs update**: Ensure latest version installed.

- **Camera didn't scan QR properly**: Re-setup may be needed.

"I'm Travelling and Don't Have Signal"

Authenticator apps work offline—they generate codes without internet. If they're using push notifications or SMS, switch temporarily to app-based codes.

Legacy Applications

Some older applications (old Outlook clients, certain scanners) don't support MFA. Options:

**Microsoft 365**: Create "App passwords" in security settings. These are one-time passwords for specific apps.

**Google Workspace**: App passwords available in security settings. Better long-term: upgrade the application.

Security Keys: Worth Considering

Hardware security keys (YubiKey, Google Titan) are the most secure MFA option:

- Phishing-resistant (won't work on fake login pages)

- No battery needed

- Very fast to use

- Can't be remotely compromised

**Cost**: £20-50 per key (recommend two per person—one primary, one backup)

**Best for**:

- Senior management

- IT administrators

- Finance staff

- Anyone handling highly sensitive data

After the Rollout: Maintenance

Monthly Tasks

- Review who still hasn't set up MFA (enforcement gaps)

- Check for users with only one authentication method (risk if lost)

- Review and remove unused registered devices

When Staff Leave

- MFA is automatically disabled when you disable/delete the account

- No need to separately remove MFA—account deletion handles it

When Staff Get New Devices

- Add new device before removing old one

- If they forgot: admin reset and re-setup

Common Objections and Responses

**"It's too inconvenient"**

Most logins don't require MFA once your device is trusted. The occasional extra step is worth not having your email hacked.

**"I don't have anything worth stealing"**

Your email account can be used to reset passwords on other services, send spam that damages the company reputation, or access shared company resources.

**"My password is strong enough"**

Passwords get leaked in data breaches constantly. Even a strong password is useless if it appears in a breach database.

**"What if I can't access my phone?"**

That's what backup codes are for. Set them up during initial configuration and store them safely.

Your MFA Rollout Checklist

**Preparation**

- [ ] Admin account has MFA enabled with multiple recovery methods

- [ ] Backup codes stored securely

- [ ] Staff communication sent

- [ ] Support plan for questions ready

**Week 1: Pilot**

- [ ] IT staff and early adopters enabled

- [ ] Issues identified and documented

- [ ] Support documentation updated

**Week 2: Expansion**

- [ ] Management and sensitive-role staff enabled

- [ ] User feedback incorporated

- [ ] Remaining exceptions documented

**Week 3: Full Rollout**

- [ ] All remaining users enabled

- [ ] Legacy app issues resolved

- [ ] No user left without MFA

**Ongoing**

- [ ] Monthly review of enforcement coverage

- [ ] New employee onboarding includes MFA setup

- [ ] Recovery procedures tested

Getting Started Tomorrow

1. **Today**: Enable MFA on your own admin account

2. **Tomorrow**: Enable MFA on all other admin/privileged accounts

3. **This week**: Communicate rollout plan to staff

4. **Next week**: Begin phased rollout

5. **End of month**: 100% MFA coverage

There's no good reason to delay. Every day without MFA is a day you're vulnerable to attacks that are trivially easy to prevent.

99.9% protection is waiting. Turn it on.

Frequently Asked Questions

What if an employee doesn't have a smartphone?

Options include hardware security keys (YubiKey, around £20-50), phone call verification to a landline, or a dedicated basic tablet kept at work. Some organisations provide simple Android phones just for authentication.

Will I need to verify every single time I log in?

No. Both Microsoft and Google offer 'trusted device' options that remember your verification for a period of time. On your regular work computer, you might only need to verify weekly or when something changes (new browser, new location).

What happens if Microsoft or Google has an outage?

Authenticator apps generate codes locally on your phone—they work without internet. Only push notifications and SMS require connectivity. Always have backup codes stored safely for emergencies.

Is SMS-based MFA still secure?

It's better than nothing, but not ideal. SMS can be intercepted through SIM-swapping attacks or SS7 vulnerabilities. Authenticator apps or hardware keys are more secure. Use SMS only when no other option is available.

Can MFA be phished?

Basic MFA (codes) can be phished by sophisticated attackers who capture the code in real-time. Hardware security keys are phishing-resistant—they only work on the real website. For highest security, use security keys.

About the Author

CTC Editorial

Editorial Team

The Compare the Cloud editorial team brings you expert analysis and insights on cloud computing, digital transformation, and emerging technologies.

Back to All Articles