Looking for security documentation and consultancy? Visit ridgelinecyber.com
Sign In

AD1.3 Deploying MFA Without Breaking Everything

5-6 hours · Module 1 · Free
Operational Objective
The most common reason MFA deployment fails is not technical — it's operational. The IT administrator enables MFA enforcement without understanding the blast radius, users get locked out, the helpdesk is flooded with calls, an executive complains to the CTO, and MFA is rolled back "until we can plan it properly" — which means never. This subsection teaches the deployment sequence that avoids every one of these failure modes: registration before enforcement, communication before policy, pilot before broad rollout, and exception planning before edge cases become emergencies.
Deliverable: A complete MFA deployment plan for your environment, including the registration campaign, user communication, pilot group testing, enforcement rollout, and exception handling — ready to execute this week.
Estimated completion: 35 minutes
MFA DEPLOYMENT SEQUENCE — THE ORDER THAT DOESN'T BREAK THINGSSTEP 1PrepareCreate break-glass accountsAudit legacy auth usageIdentify exceptionsDraft user commsDay 1-2STEP 2RegisterSend user communicationRegistration campaign (14 days)Track registration rate dailyContact unregistered usersDay 3-16STEP 3PilotEnable CA for IT team firstTest from multiple devicesVerify break-glass worksDocument any issuesDay 17-19STEP 4EnforceExpand CA to All UsersExclude break-glass onlyMonitor helpdesk volumeHandle exceptionsDay 20STEP 5ValidateCheck registration = 100%Verify no legacy authTest break-glass sign-inConfirm sign-in log cleanDay 21-23

Figure AD1.3 — The MFA deployment sequence that doesn't break things. Prepare (2 days) → Register (14 days) → Pilot (3 days) → Enforce (1 day) → Validate (3 days). Total: approximately 3 weeks from start to full enforcement. The registration campaign before enforcement is the step most deployments skip — and the step that prevents the helpdesk flood.

Step 1: Prepare (days 1-2)

Before you touch any policy, do four things.

Create break-glass accounts. Navigate to entra.microsoft.com → Users → New user → Create user. Create two accounts with names that don’t advertise their purpose — “svc-emergency-alpha@yourdomain.com” and “svc-emergency-bravo@yourdomain.com” work. Assign both the Global Administrator role. Set passwords to 25+ characters, randomly generated — use a password generator, not a memorable phrase. Write each password on a separate piece of paper and store them in a physical safe or sealed envelope in two different locations (one on-site, one with the IT manager off-site). Do NOT register these accounts for MFA. Do NOT use these accounts for anything except emergencies. Set up an alert for any sign-in to these accounts — any activity on a break-glass account that isn’t a planned test is a critical security event.

Audit legacy authentication. Navigate to entra.microsoft.com → Monitoring → Sign-in logs. Filter by “Client app” → select “Exchange ActiveSync,” “IMAP4,” “POP3,” “SMTP,” “Authenticated SMTP,” and “Other clients.” Set the time range to 30 days. Export the results to CSV. For each entry, record the username, the client app, and the device. This is your legacy auth dependency list. Every entry represents an authentication that bypasses MFA.

Common findings: users running Outlook 2013 or earlier (upgrade to current Outlook), multifunction printers sending email via SMTP (configure modern auth or use an SMTP relay with app password), legacy CRM or ERP systems authenticating via IMAP (contact the vendor about modern auth support), and mobile email clients using Exchange ActiveSync with basic auth (configure the native Outlook app instead).

Identify exceptions. Walk through your user list and flag accounts that will need special handling: shared mailboxes (can they be converted to Microsoft 365 groups?), room/resource accounts (do they need interactive sign-in?), service accounts (can they use managed identities or certificate-based authentication?), and users without smartphones (FIDO2 keys or temporary access passes).

Draft the user communication. Keep it brief, non-technical, and reassuring. Something like: “We’re strengthening account security across the organisation. Over the next two weeks, you’ll be asked to set up Microsoft Authenticator on your phone. This adds a second layer of protection to your account — when you sign in, you’ll confirm it’s really you by approving a notification on your phone. The IT team will be available to help with setup. If you don’t have a smartphone, please let us know and we’ll arrange an alternative.”

Step 2: Registration campaign (days 3-16)

Send the communication and start a 14-day registration window. During this window, users are prompted to register for MFA when they sign in but are not required to complete MFA for access. This is the grace period where users set up Microsoft Authenticator at their own pace.

Track registration daily. Navigate to entra.microsoft.com → Protection → Authentication methods → Activity → Registration. The goal is 95%+ registration by day 14. If you’re below 90% by day 10, send a reminder. If specific users haven’t registered by day 12, contact them individually — they may need help or may have a legitimate blocker you need to address.

If you’re currently on security defaults, users who have already registered for MFA (your current 87% at NE) don’t need to re-register. Their existing MFA registration carries over to conditional access. The registration campaign targets the 13% who haven’t registered yet.

For users who genuinely cannot install Microsoft Authenticator — no smartphone, shared device, contractual restrictions — provide the alternative you identified in Step 1. FIDO2 security keys are the preferred alternative. Temporary access passes work for short-term situations. SMS is the last resort.

Step 3: Pilot with the IT team (days 17-19)

Create a conditional access policy targeting a pilot group (the IT team). Navigate to entra.microsoft.com → Protection → Conditional Access → New policy. Configure it as follows:

Name: “CA001 - Require MFA - Pilot.” Assignments: Users → Include → Select users and groups → select your IT team group. Cloud apps: All cloud apps. Conditions: leave all conditions at default (no filters). Grant: Require multifactor authentication. Session: leave at default. Enable policy: On.

Sign out and sign back in from your admin account. You should be prompted for MFA. Test from your desktop, your phone, and a personal device. Verify the sign-in log shows “MFA requirement: MFA via conditional access policy” in the authentication details. Test from a device that isn’t enrolled in Intune — you should still be able to sign in (the device compliance policy comes later), but MFA should be required.

Test the break-glass accounts. Sign in to one break-glass account from a private browser. It should NOT be prompted for MFA because break-glass accounts aren’t in the pilot group and won’t be in the all-users policy either. Verify this works before you expand to all users — if break-glass accounts are accidentally included in the MFA policy and you haven’t registered them for MFA, you’ll lock yourself out.

Document any issues. If a specific application doesn’t work with conditional access, note it for exception handling. If the sign-in experience is confusing for any pilot user, improve the communication before broad rollout.

Step 4: Enforce for all users (day 20)

Edit the pilot policy or create a new one targeting All Users. Navigate to the conditional access policy and change the assignment from the pilot group to “All users.” Add an exclusion for the break-glass accounts group (create a group containing your two break-glass accounts and add it to the “Exclude” section).

The moment this policy is active and security defaults is disabled, every sign-in in your tenant requires MFA. Users who registered during the campaign will be prompted for MFA on their next sign-in — a smooth experience. Users who didn’t register will be prompted to register before they can access anything — which is why the registration campaign in Step 2 is critical. The fewer users who hit this forced registration, the fewer helpdesk calls you receive.

Monitor the first 48 hours closely. Check the sign-in logs for failed sign-ins — these are users who couldn’t complete MFA. Check the Defender portal for any new alerts triggered by the policy change. Keep the helpdesk informed that MFA is being enforced and give them the troubleshooting guide: “If a user can’t sign in, check whether they’ve registered for MFA. If not, walk them through registration. If they have registered but the prompt isn’t appearing, check whether their Authenticator app needs updating.”

Step 5: Validate (days 21-23)

Run the validation checks. MFA registration rate should be 100% for accounts that are actively used (navigate to Authentication methods → Activity → Registration). Legacy authentication sign-ins should be zero (sign-in logs filtered by legacy client apps — if you haven’t blocked legacy auth yet, this is the next policy you build in AD1.4). Break-glass accounts should have no MFA registration and should successfully sign in without MFA (test this).

Check the sign-in log for the first 72 hours after enforcement. Look for any failed sign-ins from legitimate users that indicate the policy is blocking something it shouldn’t. Look for any successful sign-ins without MFA that indicate a gap in the policy. A clean sign-in log with MFA on every sign-in means the deployment is complete.

Compliance Myth: "We should wait until everyone is ready before enforcing MFA"
If you wait until everyone is ready, you'll wait forever. There will always be one user who hasn't registered, one application that uses legacy auth, one executive who hasn't gotten around to it. The registration campaign gives users 14 days to prepare. After that, enforcement begins. Users who haven't registered get forced registration on their next sign-in — which takes 5 minutes with the Authenticator app. The brief inconvenience of forced registration is nothing compared to the ongoing risk of unprotected accounts. Set a date, communicate it, and enforce it.
Decision point

It’s day 20. You’ve enabled MFA for all users. The CFO calls the CTO to complain that she’s “getting these annoying prompts on her phone every time she checks email” and demands to be exempted from MFA. The CTO asks you to remove MFA for the CFO’s account. What do you do?

Option A: Exempt the CFO — she’s an executive and the CTO asked you to.

Option B: Explain to the CTO that the CFO’s account is one of the highest-value targets in the organisation and exempting it creates significant risk. Offer to help the CFO configure Authenticator for a smoother experience.

Option C: Exempt the CFO temporarily while you find a less intrusive MFA method.

The correct answer is Option B. The CFO’s mailbox contains financial data, payment authorisations, and banking information — it’s the #1 target for BEC attacks. Exempting it from MFA is the single worst exception you could make. The “annoying prompts” complaint usually means the user hasn’t configured Authenticator properly — they might be getting phone calls instead of push notifications, or they might be prompted on every browser session because their device isn’t registered as trusted. Offer a 10-minute call to configure Authenticator with push notifications and number matching, which takes under 5 seconds per sign-in. If the CTO insists, escalate the risk in writing: “Exempting the CFO from MFA increases the risk of financial fraud through business email compromise. I recommend against this and suggest we help the CFO configure a less intrusive MFA method instead.”

Try it: Plan your deployment timeline

Using the 5-step sequence, write out your specific deployment plan with dates.

Step 1 (Prepare): When will you create break-glass accounts? When will you run the legacy auth audit? Who do you need to talk to about exceptions?

Step 2 (Register): When will you send the user communication? What’s the 14-day registration deadline? Who will you contact individually if they haven’t registered by day 10?

Step 3 (Pilot): Which group will you pilot with? When will you create the pilot policy? What specific tests will you run?

Step 4 (Enforce): What date will you expand to all users? Who needs to know (helpdesk, management)? What are the first 48 hours monitoring checks?

Step 5 (Validate): What are your three success criteria? (100% registration, zero legacy auth, break-glass accounts working.)

Put dates next to each step. Share the plan with your manager before you start — this demonstrates professionalism and gives you cover if anyone pushes back during enforcement.

You've deployed MFA via conditional access for all users. A user calls the helpdesk saying they can't sign in. The helpdesk checks the sign-in log and sees: Status: Failed, Failure reason: "User did not pass the MFA challenge." The user says they didn't receive any MFA prompt on their phone. What's the most likely cause?
The conditional access policy is misconfigured — Unlikely if other users are signing in successfully. If the policy works for everyone except this one user, the issue is user-specific, not policy-wide.
Microsoft Authenticator is down — Check service health, but unlikely if other users are completing MFA. Authenticator outages affect all users, not individual accounts.
The user's Authenticator app isn't properly configured — they may have reinstalled the app, gotten a new phone, or the app registration is stale — Most likely. When a user gets a new phone or reinstalls the Authenticator app without re-registering, the push notifications go to the old registration. The fix is to have the user re-register their MFA method at aka.ms/mysecurityinfo (or have the admin reset their MFA registration in Entra ID → Users → Authentication methods → Require re-register MFA).
The user's account has been compromised and the attacker changed the MFA method — Possible but less common. Check the audit log for MFA method changes on this account. If someone added a new phone number or Authenticator registration that the user doesn't recognise, the account may be compromised.
Operational Artifact — MFA Deployment Plan Template
The 5-step deployment plan (Prepare → Register → Pilot → Enforce → Validate) with specific dates and responsibilities is the artifact you take from this subsection. Use it as a project plan, share it with your manager, and reference it during deployment. The plan accounts for the failure modes that derail most MFA rollouts: user lockout (solved by registration before enforcement), executive pushback (solved by communication and alternative methods), legacy app breakage (solved by pre-deployment audit), and admin lockout (solved by break-glass accounts). Follow the sequence in order. Don't skip steps.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← Previous Next →