Cybersecurity · Phoenix IT Guide

How to Set Up MFA for Your Phoenix Small Business

By Jose Cardoza, Tech Ten Solutions · Phoenix, AZ

Multi-factor authentication (MFA) is the single highest-impact security step most small businesses haven’t finished. Microsoft reports that MFA blocks over 99% of automated credential attacks. If you’re running Microsoft 365 and haven’t enforced it for every user, you’re exposed — and most Phoenix SMBs don’t realize it until something goes wrong.

This guide walks through how to roll it out cleanly, without locking people out or creating a week of help-desk chaos.

What MFA actually is (and what it isn’t)

MFA requires users to verify their identity with two or more factors: something they know (password), something they have (phone app or hardware key), or something they are (biometric). The most common setup for small businesses is a password + Microsoft Authenticator app prompt on a phone.

It is not the same as having a strong password. Passwords get leaked, sold, and reused. MFA means a stolen password alone can’t get an attacker into your systems.

Step 1: Audit who has accounts

Before enabling anything, pull a list of every licensed Microsoft 365 user in your tenant. You’re looking for:

• Active employees with full licenses
• Shared mailboxes (these need special handling)
• Old accounts that weren’t deprovisioned when someone left
• Service accounts used by apps or integrations

Disabling MFA for service accounts is a common gap attackers target. Document every exception and have a plan for each one.

Step 2: Set up Microsoft Authenticator before you flip the switch

The most common MFA rollout failure is enabling it for everyone at 9am on a Monday without warning. Users who haven’t registered get locked out and call IT in a panic.

The right sequence:

• Announce the rollout at least 3–5 days in advance
• Ask users to install Microsoft Authenticator on their phones first
• Walk through registration with any users who struggle with the app
• Enable MFA during a low-traffic window (Friday afternoon, not Monday morning)

Step 3: Use Conditional Access, not legacy per-user MFA

Older Microsoft 365 tenants use per-user MFA settings. Modern tenants should use Conditional Access policies in Microsoft Entra ID (formerly Azure AD). Conditional Access is more flexible — you can require MFA only from outside the office network, only for admin accounts, or for any sign-in from an unmanaged device.

If you’re on Microsoft 365 Business Premium, you already have Conditional Access. If you’re on Business Basic or Standard, you may need to upgrade or use Security Defaults as a simpler alternative.

Step 4: Handle the edge cases

A few things that trip up small businesses during MFA rollout:

• Shared mailboxes: These should use application permissions, not sign-in credentials. If users are logging into a shared mailbox directly, that’s a separate problem to fix.
• Old printers and scanners that send email: These often use basic authentication (no MFA support). You’ll need to set them up via SMTP AUTH with an app password or switch to a different relay method.
• Staff without smartphones: Microsoft Authenticator requires a phone. For employees without one, hardware FIDO2 keys (like a YubiKey) or SMS-based verification are fallback options.

What comes after MFA

MFA is a strong start, not a complete security posture. Once it’s running, the next priorities are usually:

• Email security (anti-phishing, anti-spoofing, safe links)
• Endpoint protection (EDR on every machine)
• Privileged account hygiene (separate admin accounts, no shared credentials)

Our cybersecurity services cover all of these as part of a managed security baseline — so you’re not patching one gap at a time. If you’re also evaluating your broader IT situation, see our guide on 5 signs your Phoenix business needs a new MSP.

If you’d like help rolling out MFA in your Microsoft 365 environment — or want a quick audit of what’s already in place — we’re happy to take a look.