Skip to content
Remote support Client portal Français (514) 534-0236
ADN-TI — Solutions sur mesure
CybersecurityMicrosoft 365Identity

Passwords aren't enough: MFA and conditional access

·The ADN-TI team

The vast majority of business account breaches involve no technical wizardry at all: a reused, phished or guessed password, and that’s it. As long as access rests on a single factor — something you know — one person losing it is enough. That’s why Microsoft now enforces multi-factor authentication by default and is progressively shutting off old sign-in methods.

MFA: the baseline, not a luxury

Multi-factor authentication (MFA) adds a second factor — something you have (your phone) or something you are (fingerprint, face). Even with your password in hand, a fraudster stays locked out.

Two points that matter:

  • Not all second factors are equal. A push notification in the Microsoft Authenticator app is far safer than a text-message code, which can be intercepted. We favour the app, or even security keys for sensitive accounts.
  • Legacy authentication bypasses MFA. Old protocols (POP, IMAP, older Office versions) can’t present a second factor — attackers love them. They must be blocked, or MFA has a back door.

Conditional access: security that adapts

Forcing MFA everywhere, all the time, eventually frustrates teams — and security that frustrates gets worked around. That’s where Microsoft Entra ID conditional access comes in: rules that adjust the requirement based on context.

A few concrete examples:

  • Signing in from the office, on a managed and compliant device → frictionless access.
  • Signing in from a country where you don’t operate → blocked outright.
  • Signing in from an unknown device → MFA required, and access to sensitive data denied until the device is compliant.

Security becomes invisible when everything is normal, and strict only when something looks off.

Pitfalls to avoid

  1. Enabling MFA with no recovery plan. An employee who switches phones with no backup method means a locked account. Always set up recovery methods.
  2. Forgetting admin accounts. They’re the most targeted and, too often, the least protected. They deserve the strongest factors.
  3. Leaving legacy authentication on. Without that block, everything else has a gaping hole.

Where to start

We usually roll this out in stages: a review of current sign-ins, enabling MFA through the app, blocking legacy authentication, then conditional access policies calibrated to how you actually work. The whole thing comes together in a few days, without paralyzing anyone.

Key takeaway: MFA stops almost all account attacks, and conditional access makes it livable day to day. Dollar for dollar, it’s the most cost-effective security measure you can take.

All articles

Ready when you are

Ready to take control of your IT?

Book a free 30-minute discovery call. No commitment, no jargon.

Write to us Discuss your project