Unpacking Microsoft’s MFA Push: An Operations Check for Your Business

For many businesses, multi-factor authentication still falls into the “yes, yes, we know” category.

It gets enabled. A few people grumble about the extra step. Or maybe someone gets a new phone and can’t get into an admin account for half an hour. Then, once you’re in, everyone just sort of… moves on.

Yet Microsoft’s steady enforcement of MFA across its admin platforms has changed the tone a bit. This is no longer just “best practice”, sitting politely in the corner, but rather a part of the operating conditions for managing your environment.

And that matters, because the real issue is not whether MFA is a good idea. It is. The real issue is whether your business has properly thought through how admin access works, who still has it, what depends on legacy sign-in habits, and what breaks when those habits finally stop being tolerated.

That right there is where many organisations get caught out.

What Microsoft has actually changed

Microsoft has been enforcing MFA across key admin services in phases.

According to Microsoft’s current guidance, MFA became required from October 2024 for accounts carrying out administrative actions in the Azure portal, Microsoft Entra admin centre, and Microsoft Intune admin centre. Enforcement for the Microsoft 365 admin centre began rolling out from February 2025. Phase 2, covering more resource-management activity through tools such as Azure CLI, PowerShell and certain API-based actions, began from 1 October 2025, with Microsoft’s documentation now showing Phase 2 enforcement active for tenants from February 2026 onward.

All of that might sound like an overly technical string of words (and you’d be fairly correct to say such), but the plain-English version is simpler:

If someone is administering your Microsoft environment, Microsoft increasingly expects that access to be protected by MFA. Not eventually. Now.

Why this matters to SMEs and mid-market organisations

Large enterprises usually have identity teams, security teams, access reviews, service account governance, and the sort of internal committee structure that, honestly, can make even something like a Deliveroo order feel regulated. And that’s for good reason.

However, SMEs and mid-market organisations do not always have that luxury (or resource).

In many cases, Microsoft 365 has grown organically. One account was set up years ago here. Another was given global admin access there because it was quick. A third is still tied to an old supplier, a departed staff member, or an automation script no one has looked at in months. 

“If the environment works, why would anybody touch it?” is generally the sentiment here. That is, until something forces the issue.

Microsoft’s MFA enforcement is one of those moments, exposing the gap between “we use Microsoft 365” and “we actively manage Microsoft 365”.

That gap is bigger than many businesses think.

MFA is important, but it is not the whole story

It is worth saying this clearly: MFA is one of the most effective controls you can implement for cloud services. Microsoft’s own guidance remains very direct on that point, and the NCSC continues to recommend strong MFA for access to corporate online services.

But MFA on its own does not magically turn a messy access model into a secure one.

If five people share an admin account, MFA will not fix that.
If a dormant privileged account still exists, MFA will not remove the risk.
If you are using user accounts as pseudo-service accounts for scripts and automations, MFA may simply reveal an underlying design problem.

Which is why this shift is useful - it forces organisations to look beyond the login prompt and ask better questions.

The questions worth asking now

1. Who actually has admin access?

This is the first one because it’s still the one most often answered with a shrug when we meet new businesses before carrying out an audit.

Most assume they have only one or two administrators, but a check reveals global admin rights, Exchange admin roles, SharePoint admin permissions, or privileged access assigned far more widely than expected.

Admin rights tend to accumulate quietly and are rarely removed with the same enthusiasm they were granted.

2. Are we protecting the right accounts in the right way?

Microsoft’s enforcement applies to admin activity, but your own standards may need to go further.

If a business-critical identity can access sensitive data, control cloud services, approve changes, or affect recovery, it should be protected strongly. In some cases, that means going beyond app-based MFA and looking at phishing-resistant options such as passkeys or FIDO2 security keys.

That may sound like a big-business problem. It’s not, and is usually a “one compromised account at the wrong moment” problem.

3. Are any scripts, tools or automations relying on user logins?

This is one of the more overlooked issues.

Microsoft’s guidance is clear: workload identities, such as managed identities and service principals, are treated differently from user identities. So, if you still have automation tied to a standard user account, MFA enforcement can become the moment you realise that part of your environment has been balanced on a folding chair for years.

Better to find that now than during an outage, an urgent change, or a restore scenario.

4. Do our emergency access accounts really work?

Break-glass accounts sound reassuring in principle. In practice, they are only useful if they’re documented, secured, monitored, and still accessible when something goes wrong.

Microsoft’s guidance also makes clear that these accounts are not casually exempt from MFA requirements. If your fallback plan depends on “we’ll just use the emergency account”, it is worth checking what that actually means in 2026.

A backup plan that nobody has tested helps nobody.

5. Are we treating identity as part of operations, not just security?

This is the broader lesson and the real question you should ask.

Identity is now tied to productivity, admin access, AI usage, collaboration, compliance, and incident response, which isn’t a separate technical layer sitting underneath the business. It’s something woven through how the business works.

That means identity decisions should be operational decisions too. Who can approve? Who can change? Who can recover? Who can access what from where? And what happens when that access is challenged, lost, or abused?

What good looks like for most organisations

For most SMEs and mid-market organisations, the answer is not to build a sprawling identity programme worthy of a global bank.

It is to get the basics genuinely under control, which usually means:

• reducing the number of privileged accounts

• separating day-to-day user accounts from admin accounts

• enforcing MFA consistently, not selectively

• reviewing legacy accounts and old supplier access

• replacing user-based automations where needed

• testing emergency access properly

• documenting who owns identity and access decisions internally

None of that is especially glamorous, granted. Most useful security work isn’t.

But it’s the kind of housekeeping that prevents minor weaknesses from becoming expensive incidents.

The bigger takeaway

Microsoft’s MFA enforcement is not really a story about Microsoft being strict, though it’s an indicator of the direction of travel.

The days of running cloud platforms on informal habits, inherited permissions, and a bit of crossed fingers are fading fast. Vendors are tightening defaults. Standards are rising. Insurers, auditors, customers and supply chains are asking harder questions.

For UK organisations, especially those juggling lean internal teams and growing compliance pressure, that means one thing: access control can no longer be treated as background admin.

It is core business resilience.

If Microsoft prompting for MFA is what triggers a review of your admin roles, service accounts, recovery plans, and security assumptions, that is probably a good outcome. Mildly annoying, yes. But still a good outcome.

Because, in our experience, businesses that address these issues early and calmly tend to avoid the more painful lessons later.