MFA Rollout Checklist for Microsoft 365
Step-by-step checklist for rolling out multi-factor authentication across your Microsoft 365 organization with minimal user disruption.
Prerequisites
- •Microsoft Entra ID P1 or P2 license (for Conditional Access)
- •Global Admin or Security Admin access
- •Communication plan for end users
Planning Phase
Prepare for MFA rollout.
Identify which users already have MFA registered.
Document service accounts, shared mailboxes, etc.
Decide which authentication methods to allow.
Tips:
- • Prefer Microsoft Authenticator with number matching
- • Consider FIDO2 keys for admins
- • Avoid SMS if possible (but better than nothing)
Create emails, guides, and FAQ for users.
Pilot Phase
Test MFA with a pilot group.
Select 10-20 users from different departments.
Create policy requiring MFA for pilot group only.
Related: CA-01Help pilot users register and troubleshoot.
Document issues and adjust approach.
Rollout Phase
Roll out MFA to all users.
Configure registration campaign to prompt users.
Gradually add departments to MFA policy.
Track registration completion rates.
Process user issues and exceptions.
Enforcement Phase
Enforce MFA for all users.
Update policy to include all users (with approved exceptions).
Related: CA-01Test that MFA is required for all targeted users.
Record all policies, exceptions, and processes.
Automate this checklist with TrueConfig
TrueConfig automatically monitors your Microsoft 365 configuration against these best practices and alerts you when settings drift.