← ALL POSTS
CYBERSECURITY STEP-BY-STEP GUIDE

Roll out MFA to a small business without a mutiny

Stolen passwords are still the number one way small businesses get breached, and MFA (multi-factor authentication) is the cheapest fix in security. The technology is not the hard part; MFA takes an afternoon to switch on. The hard part is rolling it out to twenty busy people without a revolt, a locked-out owner, or a quiet exemption list that grows until the whole thing is theater. This guide is the rollout plan we use. At the end you'll have MFA enforced on every account, a working recovery process, and no mutiny.

Prerequisites

Step 1: Inventory every app that has a login

You can't protect accounts you forgot exist. Make a spreadsheet with columns for app name, who uses it, whether it supports MFA, and whether it can use single sign-on through Microsoft or Google. Walk through:

Wherever an app supports "Sign in with Microsoft" or "Sign in with Google," plan to use it. Every app behind SSO inherits MFA from the central account automatically, which shrinks the rollout from twenty apps to one.

Step 2: Pick your methods, and set the defaults deliberately

Not all second factors are equal. Set these as policy before anyone enrolls:

Plan for the edge cases now, not during enrollment week: shared accounts (fix by moving to individual logins, or park the TOTP secret in your password manager's shared vault as a stopgap), warehouse staff without company phones (hardware keys or a printed policy decision, made openly), and personal-phone objections (the authenticator app reveals nothing to the employer; put that in the FAQ, and offer a hardware key to anyone still uncomfortable).

Step 3: Run a pilot group for two weeks

Pick five or so people: yourself, one skeptic, one non-technical user, one remote worker, and someone from finance. Enroll them, then let them live with it for two weeks while you collect every complaint and confusion. The pilot always surfaces something: an old copier that can't authenticate to send scans to email once security defaults tighten, a line-of-business app that needs an app password, a user whose personal phone is too old for the authenticator app.

Fix those, then write the two documents the rest of the rollout depends on: a one-page enrollment guide with screenshots for your exact tenant, and a short FAQ answering the pilot group's actual questions. Deliberately include the skeptic's objections; the rest of the company has the same ones.

Step 4: Open a two-week enrollment window

Announce it from the owner, not from IT, with three things: why (one sentence about stolen passwords, and that the insurance renewal requires it, which it probably does), what to do (the one-page guide), and the dates. Give people a two-week window to enroll on their own schedule, with drop-in help available. In Microsoft 365, use registration campaigns or Conditional Access in report-only mode so you can watch enrollment numbers without locking anyone out yet.

Chase stragglers personally in week two. A short "need a hand with this?" message clears most of them; the last two or three usually just need someone to sit with them for five minutes. Aim for over 90% enrolled before the deadline so enforcement day is a formality instead of a fire.

Step 5: Enforce on a named date

Announced deadlines with no enforcement teach people that deadlines are decoration. On the named date, turn it on for real: Security Defaults, or a Conditional Access policy requiring MFA for all users on all apps if you have Business Premium. Pick a Tuesday morning, never a Friday, so the stragglers hit the wall while help is available and nobody is locked out over a weekend.

Hold the line on exemptions. Every "just exclude me, I'm careful" request, especially from the top, creates exactly the account attackers want most. The owner goes first and says so. The only legitimate exclusions are documented break-glass accounts (next step) and specific service accounts handled with their own controls.

Step 6: Set up recovery before you need it

Lost phones are the moment MFA rollouts die, because a bad recovery process either strands users for days or becomes the hole attackers walk through. Set up three things:

  1. Two factors per person, minimum. Enrolling a second method (backup key, secondary device, or printed one-time recovery codes stored somewhere sane) at signup time turns most lost phones into a non-event.
  2. A break-glass admin account. One emergency global admin, excluded from MFA policy, with a very long random password stored offline (a sealed envelope in a safe works), and an alert configured to fire on any use of it. This is what saves you when the MFA service itself has a bad day or the only admin loses both keys.
  3. A verification rule for resets. Whoever handles "I lost my phone, reset my MFA" must verify identity by a known-good channel: a video call, a callback to the number on file, or in person. Never reset based on an email or chat message alone; attackers impersonating locked-out employees to the help desk is now a standard playbook, and it has cracked far bigger companies than yours.

Verify it

You're done when all of these are true:

Check the sign-in logs a month later for anything still authenticating without MFA (legacy protocols like IMAP are the usual culprit; disable them) and you can close the project. This one control blocks the large majority of account-takeover attacks your business will ever face, and now it's actually on everywhere.

Stuck on this, or want it done for you? That's the job.

Email us →
RELATED READING
The first 24 hours after a breach: what to do, in order Explainer
Troubleshoot a network printer like a tech Step-By-Step Guide
Send SMS and email alerts from your app Step-By-Step Guide
Dark web monitoring: useful signal or scare tactic? Explainer
Do you still need a VPN? Explainer
NO FORMS. JUST EMAIL.
mason@hurbs.io
or (832) 457-4317, LA and Houston