Enable multi-factor authentication on Microsoft 365 in 20 minutes. Step-by-step guide for Irish SMEs in Donegal and across Ireland to stop credential attacks.

When a Donegal accountancy firm had its Microsoft 365 account compromised last year, the attacker had been inside the system for eleven days before anyone noticed. In that time, they read emails, monitored conversations about upcoming payments, and finally sent a fraudulent invoice to a client redirecting €22,000 to a criminal bank account. The firm had a strong password policy. It did not have multi-factor authentication. That single gap — which Microsoft 365 would have closed for free, in under twenty minutes — was the difference between a normal week and an eleven-day breach and a significant financial loss. Enabling MFA on Microsoft 365 is not a complex technical project. It is twenty minutes of configuration that stops the majority of account compromises before they begin.

Why MFA Matters So Much

Multi-factor authentication requires a user to verify their identity using two separate factors — typically something they know (their password) and something they have (their phone, running an authenticator app). If an attacker steals or guesses a password, they cannot log in without the second factor. This one control is estimated to block over 99% of automated credential attacks.

The NCSC Ireland consistently identifies credential theft — gaining access to systems using legitimate but stolen usernames and passwords — as the most common initial access method in cyberattacks on Irish businesses.[^1] Microsoft 365 accounts are a primary target because they hold email, documents, calendar data, and in many organisations the keys to every other cloud service the business uses.

The Data Protection Commission in Ireland has cited the absence of MFA as an aggravating factor in data breach investigations, treating it as a failure of the "appropriate technical measures" obligation under GDPR.[^2] An Garda Síochána's National Cyber Crime Bureau has also highlighted business email compromise — which typically begins with a stolen Microsoft 365 credential — as one of the highest-value fraud categories targeting Irish SMEs.[^3] In most of those cases, MFA would have stopped the attack at the front door.

Is multi-factor authentication currently enabled on every Microsoft 365 account in your business, including accounts used by part-time staff and contractors? Book a free 20-minute strategy call — we will confirm your MFA status and check for the configuration gaps that leave accounts exposed even when MFA is partially enabled.

The Fastest Path: Security Defaults

For most Irish SMEs, the quickest and most complete way to enable MFA across all Microsoft 365 accounts is to activate Security Defaults. This is a Microsoft feature designed specifically for small and medium businesses that need baseline protection without complex configuration. It requires all users to register for and use MFA when signing in, and it costs nothing — it is included in every Microsoft 365 plan.

To enable Security Defaults, you need to be a Global Administrator for your Microsoft 365 tenancy. Sign in to the Microsoft Entra admin centre at entra.microsoft.com. In the left menu, go to Overview, then select Properties. Scroll to the bottom and click Manage Security Defaults. Toggle Enable Security Defaults to Yes and save.

Once enabled, the next time each user signs in they will be prompted to set up MFA. They will be asked to download and configure the Microsoft Authenticator app on their phone. After completing the setup, they will use the app to approve each new login. The whole process for each user takes three to five minutes.

This single action — enabling Security Defaults — will block the overwhelming majority of credential-based attacks against your Microsoft 365 accounts. If you do nothing else from this article, do this.

A More Flexible Approach: Conditional Access

For businesses that need more control over when and how MFA is required — for example, to allow staff to sign in from the office without MFA but require it from home, or to require stricter authentication for administrators than standard users — Conditional Access policies provide that flexibility. Conditional Access is available in Microsoft 365 Business Premium and above, or with Azure AD Premium licences.

Conditional Access lets you define rules such as: require MFA for all users accessing email from outside the corporate IP range; require MFA for any login from a new or unrecognised device; block access entirely from countries your business does not operate in. These policies give you precise control without applying blanket restrictions that users find frustrating.

For most Donegal and Irish SMEs with fifteen to two hundred employees, Security Defaults is the right starting point. Conditional Access becomes relevant when the business has specific compliance requirements — for example, NIS2 or GDPR obligations that require demonstrating tailored risk-based access controls — or when Security Defaults creates operational friction that cannot be managed through user education.

Getting Your Staff Ready

The most common reason MFA rollouts are delayed or reversed in Irish SMEs is staff friction — complaints that the extra step is inconvenient, or confusion about how to set up the Authenticator app. The solution is communication before deployment, not after.

Before you enable Security Defaults, send a brief email to all staff explaining what is changing, why it matters, and what they need to do — which is to download the Microsoft Authenticator app from the App Store or Google Play before their next login. Give staff three to five business days' notice so that no one is caught unprepared on a busy day when they need immediate access to email.

Designate someone — ideally your IT provider or a technically confident staff member — to be available on the first day after enablement to help anyone who gets stuck during the Authenticator setup process. In a typical Irish SME, two or three people will need that help. Having someone available for thirty minutes avoids those people calling you in a panic.

After MFA Is Enabled: What to Check

Enabling MFA is not the end of the process. There are two additional checks that significantly strengthen the protection it provides.

First, confirm that no accounts have been excluded from MFA requirements. Security Defaults applies to all accounts by default, but administrators sometimes create exemptions during initial rollout and forget to remove them. A quick review of your user list in the Microsoft Entra admin centre will confirm that every account — including shared mailboxes, service accounts, and accounts belonging to contractors — is covered.

Second, review your Multi-Factor Authentication registration report to confirm that all users have completed their MFA setup. Any user who has not registered is still signing in with password only. The report is available in the Entra admin centre under Identity > Monitoring and health > Usage and insights > Authentication methods.

Enabling MFA on your Microsoft 365 accounts is the single fastest action most Irish SMEs can take to materially reduce their risk of a cyberattack. It is free. It takes twenty minutes. And it stops most attacks before they begin.

Three Actions to Take Today

1. Enable Security Defaults on your Microsoft 365 tenancy. Follow the steps above. If you are not the administrator for your tenancy, ask your IT provider to do this today. There is no valid technical reason to delay.

2. Send a two-paragraph communication to all staff explaining the change, what they need to install, and that it will start in five days. Keep it simple and positive.

3. After rollout, run the MFA registration report to confirm everyone has completed setup. Chase anyone who has not. An account without MFA is the weakest link in an otherwise protected tenancy.

How to Set Up Multi-Factor Authentication on Microsoft 365 in 20 Minutes.