How to Set Up Multi-Factor Authentication for Your Business: A Step-by-Step Guide

Not all MFA is equally secure. Before you start deploying, understand what you're choosing between so you can match the method to the risk level of each system.

SMS Text Codes (Least Secure — Avoid for High-Risk Accounts)

A one-time code is sent to the user's mobile phone by text. This is better than no MFA, but SMS is vulnerable to SIM-swapping attacks — where an attacker convinces a mobile carrier to transfer the victim's phone number to an attacker-controlled SIM card, intercepting all future SMS messages. For general users who won't accept other methods, SMS MFA is acceptable. For executives, finance staff, IT admins, and anyone with access to sensitive data, it should not be your primary method.

Authenticator App / TOTP (Strong — Recommended for Most Users)

Apps like Microsoft Authenticator, Google Authenticator, or Authy generate a time-based one-time password (TOTP) that refreshes every 30 seconds. The code is generated locally on the device and never transmitted over a carrier network, making it immune to SIM-swap attacks. This is the practical gold standard for most business users. Microsoft Authenticator also supports push notifications — the user approves or denies a login attempt with a tap rather than entering a code, which improves adoption significantly.

FIDO2 Hardware Keys (Strongest — Required for Admins)

Physical hardware keys (YubiKey, Google Titan, etc.) plug into a USB port or tap via NFC. Authentication is cryptographically tied to the specific website domain, which means it is completely immune to phishing — even if a user is tricked into entering their password on a fake login page, the hardware key will refuse to authenticate because the domain doesn't match. This is the method to deploy for Global Administrators, IT staff, finance approvers, and any executive with privileged access. Cost: $25–$70 per key, with most critical employees needing two (one primary, one backup).

Passkeys (Strongest — Emerging Replacement for Passwords)

Passkeys use the same cryptographic standard as FIDO2 hardware keys but are stored on the user's device (phone, laptop, or tablet) using biometric authentication (Face ID, fingerprint, Windows Hello). Microsoft 365, Google, and an increasing number of business applications support passkeys as a fully passwordless authentication method. For new deployments in 2026, passkeys are worth evaluating as a long-term replacement for the password + MFA combination entirely.

---

Before you enable anything, map exactly what you have. A successful MFA rollout requires knowing every system users authenticate to and whether legacy protocols are involved.

Build Your Application Inventory

List every system that requires login credentials in your organization. Common categories for Houston businesses:

• Email and productivity: Microsoft 365 / Google Workspace
• Remote access: VPN, RDP gateways, remote desktop tools (AnyDesk, ScreenConnect)
• Line-of-business applications: ERP systems, CRM, accounting software (QuickBooks, Sage), practice management software
• Cloud infrastructure: AWS, Azure, Google Cloud consoles
• Banking and financial portals
• HR and payroll systems
• Industry-specific portals: EMR systems for healthcare, permitting portals for energy and construction, regulatory compliance platforms

Identify Legacy Authentication Dependencies

Some older systems — shared printers, legacy line-of-business applications, older email clients — use basic authentication protocols that cannot support MFA. Identify these before blocking legacy auth, or you'll break systems people depend on. Document each legacy dependency and make a migration plan. Common legacy auth users:

• Network printers configured to email scans via SMTP
• Older versions of Outlook (pre-2016) or email clients that don't support modern auth
• Legacy CRM or ERP integrations that use basic auth API calls
• Conference room shared accounts configured on tablets or smart displays

Identify High-Risk Accounts to Prioritize

Not all accounts carry equal risk. Prioritize MFA enrollment in this order:

1. Global Administrators and IT admins (highest priority — these accounts have the keys to everything)
2. Finance, billing, and accounts payable staff (primary BEC targets for wire fraud)
3. Executives and executive assistants
4. HR and payroll staff (access to sensitive employee data)
5. All remaining users

---

Most Houston businesses run Microsoft 365. Here's the specific path to enabling MFA in your M365 tenant.

Option A: Security Defaults (Simplest — Good for Small Businesses)

Microsoft's Security Defaults enable MFA for all users with a single toggle. This is the fastest path for organizations that don't have Microsoft Entra ID P1 or P2 licensing. Navigate to: Entra admin center → Properties → Manage Security Defaults → Enable Security Defaults: Yes. With Security Defaults enabled, all users will be prompted to register for MFA on their next sign-in and required to complete MFA for certain higher-risk activities.

Limitation: Security Defaults apply the same policy to everyone with no flexibility. If you need per-group policies, exclusions, or location-based conditions, you'll need Conditional Access.

Option B: Conditional Access Policies (Recommended — More Control)

Available with Microsoft Entra ID P1 (included in Microsoft 365 Business Premium). Conditional Access lets you define exactly when MFA is required — for specific apps, specific user groups, specific locations, or specific sign-in risk levels. Create your baseline MFA policy:

1. Go to Entra admin center → Security → Conditional Access → New policy
2. Name it "Require MFA — All Users"
3. Assignments → Users: select "All users" (exclude your break-glass emergency accounts)
4. Target Resources: select "All cloud apps"
5. Access controls → Grant: select "Require multi-factor authentication"
6. Enable policy: On

Before enabling, put the policy in Report-only mode for 7–14 days. Review the sign-in logs to see who would be affected and what legacy auth dependencies surface. Then switch to enforcement once you're confident there are no broken systems.

Communicate the Rollout to Your Team

Send a company-wide email at least one week before MFA goes live explaining what's changing, why it matters, and exactly what employees will see when they're prompted. Include step-by-step screenshots for setting up Microsoft Authenticator on iOS and Android. Reduce help desk tickets by proactively answering the four questions people will ask:

1. What is MFA and why are we doing this?
2. What app do I need to download?
3. What do I do if I lose my phone?
4. Will this affect my personal devices?

---

Your VPN and remote desktop gateway are the front door of your network for remote workers. These are the exact entry points ransomware groups and credential-stuffing attacks target most aggressively.

For Most Business VPNs (Cisco, Fortinet, Palo Alto, SonicWall)

Enterprise-grade VPN appliances support RADIUS-based MFA integration. The general process:

1. Deploy an MFA RADIUS proxy (Microsoft's NPS extension for Azure MFA, or a third-party solution like Duo Security or AuthPoint)
2. Configure your VPN appliance to pass authentication requests through the RADIUS proxy
3. The RADIUS proxy validates the username/password against Active Directory, then triggers an MFA challenge (push notification, TOTP code) before granting VPN access
4. Test with a pilot group of 5–10 users before rolling out broadly

For Windows Remote Desktop (RDP)

If you run a Windows Remote Desktop Services (RDS) gateway, MFA can be enforced at the gateway level using the same NPS/RADIUS approach. Never expose RDP directly to the internet — always place it behind an RD Gateway or your VPN. If your organization uses plain RDP with the port directly exposed (TCP 3389 open to the internet), that exposure should be closed immediately regardless of MFA status — it is actively scanned and attacked around the clock.

For Remote Desktop Tools (AnyDesk, ScreenConnect, TeamViewer)

Enable MFA within the tool's own management console. For AnyDesk: Settings → Security → Two-Factor Authentication. For ConnectWise ScreenConnect: Administration → Security → require two-factor for all administrators and operators. Do not allow connections from outside your organization without requiring session approval from a logged-in technician.

---

Email and VPN are the priority, but your other business applications matter too. For SaaS applications that support SAML or OpenID Connect single sign-on (SSO), you can often enforce MFA centrally through Entra ID or Okta rather than configuring it in each app separately. Check whether each critical application in your inventory supports:

• SSO via Entra ID / Okta: If yes, MFA enforcement flows from your central identity provider — users don't need separate MFA for each app
• Native MFA: Many cloud apps (Salesforce, QuickBooks Online, HubSpot, DocuSign) have built-in MFA settings in their security or account configuration panels — enable these directly
• No MFA support: Legacy applications that don't support MFA should be identified as technical debt and either migrated, replaced, or network-restricted so they're only accessible from managed devices on your corporate network

---

The most common MFA support ticket is a user who got a new phone, can't receive MFA codes, and is now locked out. Handle this before it becomes a crisis:

Require Backup MFA Methods at Enrollment

When users register for MFA in Microsoft 365, require them to register at least two methods — for example, the Microsoft Authenticator app and a backup phone number. This way, a lost phone doesn't mean a lockout if the backup method is accessible.

Establish an MFA Reset Procedure

Document a clear, secure process for resetting MFA when a user is genuinely locked out:

1. User contacts IT (phone, in-person, or a pre-shared backup communication channel)
2. IT verifies identity — this must be a real verification, not just "they called and said it was them." Use a shared secret, manager verification, or video call with government ID
3. IT temporarily bypasses MFA (one-time bypass code in Entra ID) long enough for the user to re-register their new device
4. The bypass code expires automatically after the configured window (typically 5–30 minutes)

Never establish a policy of resetting MFA based solely on an email or Teams message request — that's exactly how social engineering attacks bypass MFA entirely.

For Hardware Key Users: Always Issue Two Keys

Admins and other hardware-key users should have two registered keys — a primary and a backup stored securely (in a locked drawer, home safe, or with a designated IT team member). A lost single key with no backup can result in a locked-out admin account at the worst possible moment.

---

MFA is not a set-and-forget control. Configuration drift is real — new accounts get created, exemptions get granted for convenience, legacy auth re-enables for a "temporary" fix that never gets cleaned up. Build ongoing monitoring into your routine:

• Monthly: Run a sign-in report filtered for "MFA not required" or "Legacy authentication" in Entra ID. Any unexpected results should be investigated immediately
• Quarterly: Audit all admin accounts for MFA enrollment and verify that break-glass accounts are intact
• On new hire: MFA enrollment should be part of day-one onboarding, not an afterthought
• On employee offboarding: MFA device registrations should be removed as part of the offboarding process — revoke all sessions and remove registered devices from the departed employee's account

---

Step	Action	Priority
1	Choose MFA methods by risk level (FIDO2 for admins, Authenticator app for users)	First
2	Audit all systems users authenticate to and identify legacy auth dependencies	First
3	Enable Conditional Access MFA policy in M365 (Report-only first, then enforce)	First
4	Enable MFA on VPN and remote access gateways	High
5	Communicate rollout to employees with setup instructions	High
6	Require 2 registered MFA methods per user during enrollment	High
7	Document and test the MFA reset / lost-phone procedure	High
8	Enable MFA in critical SaaS applications or connect them via SSO	Medium
9	Block legacy authentication protocols once dependencies are migrated	Medium
10	Set up monthly MFA coverage monitoring report	Medium

---

LayerLogix has deployed MFA for businesses across Greater Houston — from 10-person professional services firms in Sugar Land to multi-location healthcare practices in The Woodlands and Conroe, and manufacturing operations in Katy and Pasadena. We handle everything from the initial audit and legacy dependency discovery through configuration, employee communication, and ongoing monitoring.

A properly deployed MFA rollout takes 2–4 weeks for most small and mid-sized businesses. Doing it wrong — gaps, exemptions, broken legacy systems, no lost-phone procedure — creates a false sense of security that can be worse than no MFA at all.

Contact LayerLogix to plan your MFA rollout. We'll audit your current environment, identify every gap, and implement a policy that actually covers your organization. Call 713-571-2390 or use our contact form.

Related: Microsoft 365 Security Hardening Checklist | Dark Web Monitoring for Houston Businesses | The Three Cyberthreats Dominating 2026