Choosing and Implementing the right Multi-Factor Authentication
It has become fairly common knowledge that Multi-Factor Authentication (MFA) is one of the most important ways for a company to protect themselves from cyber-attacks. But in 2024, over 70% of M365 end users and admins still do not have MFA enabled.
Even the most basic form of MFA can prevent 99% of the most common cyber-attacks, why are so many companies not requiring employees to use MFA?
Today we address some of the common reasons why many companies do not have MFA enabled across all their users.
An Inconvenient Truth for End Users
MSPs are often passionate about delighting end users by making their lives easier. But requiring end users to go through MFA risks end user dissatisfaction through the inconvenience of requiring more steps to access their data. Furthermore, customers are often unsure of the licensing costs required, the end user options available to them, or what the project of implementing MFA will entail.
So as MSPs, we’ve got some convincing to do for customers who can understandably be reluctant to get across the finish line with MFA.
First, it’s important to understand where a customer currently is with their end users and their M365 licensing. MSPs should ideally have a way to easily report on this, not just for one customer, but across their entire customer base. This has the added benefit of being able to detect compliance drift; whether some users in an org previously 100% on MFA are now no longer bound to MFA.
Second, MSP’s need a way to recommend the MFA option best suited for them. Generating a customer report for each customer regarding each user can serve as the beginnings of a project framework, and again good reporting goes a long way.
What are the Costs of MFA?
Basic MFA is now included for all users in M365 regardless of their M365 license type.
If customers press this question more, perhaps the better question is about the costs of NOT having MFA required of all users.
In 2023, there were over 2,813 successful cyber-attacks, averaging over $4M in costs per incident.1
Customers sign up with Microsoft Partners with the trust that they’re receiving the right recommendation. But perhaps they will ask about the costs of the IT project you’re recommending. So we have put together a chart of the different types of MFA, and the number of steps it requires to implement these settings manually.
We’ll get to automating these steps in the following section…
Choosing the Right MFA Option
When choosing an MFA option for a customer, there are a few things to consider. Customers want to be secure, but they are often reluctant to spend more on M365 licensing and to add too much to end users’ steps to access their data while working. And for MSPs, you’ll also want to be aware of the number of steps it may require to set up a particular MFA option.
One of the best options for MFA is Conditional Access Based MFA. While it does require some additional licensing, it provides a good balance of high-level security with minimal end user impact.
| MFA Option | End User Impact | Minimum Required M365 License | # Admin Steps |
| No MFA | Users can access their accounts with just their passwords. This is the least secure option and leaves accounts vulnerable to compromise. | Any M365 License | 0 |
| Basic MFA | Users are required to provide a second form of authentication during sign-in. This could be a phone call, text message, or notification through a mobile app. This adds an extra layer of security but may slightly increase the time it takes for users to sign in. | Any M365 License | 5 |
| Always On MFA | Users are required to provide a second form of authentication every time they sign in. This is the most secure option but can be inconvenient for users as it increases the time it takes to sign in. | Any M365 License | 5 |
| Conditional Access-based MFA | MFA is only required under certain conditions defined by the admin, such as sign-ins from new devices or locations. This provides a balance between security and convenience. | Azure AD Premium P1 | 7 |
| Biometric-based MFA | Users are required to provide a biometric form of authentication, such as a fingerprint or face scan. This provides a high level of security but requires users to have compatible hardware. | Depends on the specific biometric solution | 10 |
The above show the estimated number of steps it will take for an admin to set up each MFA option. And these steps are performed one customer at a time.
That is, unless you have SkyKick Security Manager…
Implementing MFA Made Easy
With SkyKick Security Manager, you have access to a wealth of default workflows to help manage your customers’ security all in 1 place. The automation itself is a huge time saver for MSPs, and workflows can be run across one or many customers at once, without the need to log in to multiple M365 tenants.
Within one easy workflow, “Research and Configure Multifactor Authentication”, you have the ability to report on the MFA status for all users. You can run this report independently, or chain commands together to take action by simply selecting each step you’d like performed.
For instance, for customers you know are licensed with Azure AD Premium P1 or higher, you can quickly configure Conditional Access-Based MFA for those customers with a few simple clicks:
What to Do with All that Extra Time
The importance of not just enabling MFA, but also educating users about the risks of accepting unexpected MFA prompts. Even with MFA enabled, security is not guaranteed if users do not understand how to respond to MFA prompts correctly. Cybersecurity is a shared responsibility and requires both robust security measures and informed users.
Many MSPs and IT professionals will periodically attempt to get End Users to fall for a fake attack, as a way to identify end users who need additional training, as well as periodically reinforce the knowledge for those who do know the best practices.
And when end users come and go, Security Manager saves more time by allowing you to quickly view and act upon at-risk users who are not configured with MFA.
It is SkyKick’s mission to help partners secure the world through M365 features like MFA. And we hope this blog has helped make it easier to get customers on board with MFA and into a more secure status.
Configure MFA For Your Entire Customer Base Today
Request a full demo
Take the Self-Guided Tour
Resources: