Microsoft will soon change the mandate to multi-factor authentication (MFA) with changes to Microsoft 365 defaults. As Microsoft points out, \u201cWhen we look at hacked accounts, more than 99.9% don\u2019t have MFA, making them vulnerable to password spray, phishing and password reuse. \u201cBased on usage patterns, we\u2019ll start [mandating MFA] with organizations that are a good fit for security defaults. Specifically, we will start with customers who aren\u2019t using Conditional Access, haven\u2019t used security defaults before, and aren\u2019t actively using legacy authentication clients.\u201dMicrosoft will notify global admins of eligible tenants by email. \u201cAfter security defaults are enabled, all users in the tenant are asked to register for MFA. Again, there is a grace period of 14 days for registration. Users are asked to register using the Microsoft Authenticator app, and global administrators are additionally asked for a phone number.\u201d If you haven\u2019t started MFA deployments, this is the time to do so. Attackers are using phishing attacks to go after unprotected accounts and MFA is a key way to protect user access.Can you still disable multi-factor authentication should you decide to accept the risk? Yes, but this means your firm will be low-hanging fruit for phishing campaigns. User accounts and logins are the new entry point for many attacks in a network.Determine multi-factor authentication methodMFA deployment means that you need to determine which authentication process you will support. Researchers often claim that SMS messages aren\u2019t secure. Years ago attackers were able to bypass SMS based MFA using a reverse-proxy component. In reality, you just need to be secure enough.As with many security decisions, you need to perform a risk analysis of who needs best, better and good-enough security. If you believe that some of your users will be targeted the use of MFA applications, you can use devices such as Yubikeys. Users and consultants might point out that MFA is not bulletproof. It can be attacked and spoofed. The idea is that you want to just be a little bit better than the next domain or cloud deployment.Use conditional access rulesIf you add Azure Active directory P1 license (already included in Microsoft 365 Business premium subscribers), you can add conditional access rules that allow you to provide for whitelisting locations. Thus, you can set up MFA for only remote users to protect remote email access. These conditional access policies can be more granular to allow users to resources while balancing the needs for MFA. For example:Requiring MFA for users with administrative rolesRequiring MFA for Azure management tasksBlocking sign-ins for users attempting to use legacy authentication protocolsRequiring trusted locations for Azure AD MFA registrationBlocking or granting access from specific locationsBlocking risky sign-in behaviorsRequiring organization-managed devices for specific applicationsAssess user hardware requirementsWhen deploying MFA keep in mind the hardware you may need. You may need to provide cellular phones to your employees so they can use an MFA application. If you do not provide them with a cell phone and mandate MFA so that they have to use their personal phones, you may need to reimburse them for a reasonable use of their personal assets. States such as California, Illinois, Iowa, Massachusetts, Minnesota, Montana, New Hampshire, New York, Pennsylvania and the District of Columbia all have passed laws requiring employers to reimburse workers for work-related expenses such as the use of their personal phone in MFA. You can also deploy tokens such as Yubikey, which supports authentication with Azure AD.Consider backup and redeployment needsWhen deciding on the device or token, you also need to plan on backups and re-deployment. For example, it\u2019s recommended to have at least two Yubikeys per user so that the person has a backup. Some deployments support more than two such tokens to the user account. If you use Microsoft Authenticator app, you may have to plan on backing it up using a local Microsoft account if you use an iPhone.Also, migration between iPhone and Android is not a direct backup-and-restore process. Your backup is stored in the iCloud for iOS and in Microsoft's cloud storage provider for Android. This means that your backup is unavailable if you switch between Android and iOS devices. If you make the switch, you must manually recreate your accounts within the Microsoft Authenticator app. Ensure that you educate your users of MFA of these deployment issues ahead of time so that they know of the issues and plan accordingly.Microsoft is pushing the bar to protect user authentication. Make it a priority this year to ensure that users are protected from such attacks. A mere username and password are no longer enough.