Why Passwords Are Not Enough – Protecting Microsoft 365 with Entra ID MFA

Passwords have been the foundation of account security for decades, but the reality is that they are no longer enough to protect your organization. Every day, millions of credentials are stolen through phishing attacks, data breaches, and password leaks, and in most cases the person who lost them finds out the hard way. The good news is that a fix exists for Microsoft accounts, it is built into Microsoft 365, and it does not require a massive project to turn on.

This post is the first part in a series covering Multi-Factor Authentication and Conditional Access policies in Microsoft Entra ID. If you are an IT pro who is just getting started with these features, you are in the right place. No prior experience is required.

The Problem with Passwords

Passwords are broken, not because they are a bad idea in theory, but because of how they are used in the real world. People reuse them across multiple accounts, choose ones that are easy to remember but easy to guess, and fall for phishing pages that look exactly like the real thing. Every time a website gets breached, those credentials get posted online for attackers to use freely.

It is not entirely the end user’s fault. Most organizations enforce password complexity requirements that make passwords hard for users to remember but surprisingly easy for computers to crack. The result is a cycle of weak, reused, and predictable credentials that attackers exploit at massive scale.

Microsoft blocks over 7,000 password attacks every single second, and that number is more than double what it was just two years ago. The question is not whether your organization will be targeted. It is whether your accounts are protected when it happens.

How Attackers Steal Credentials

Understanding how credential theft works is important before you start building policies to stop it. There are three attacks every IT pro needs to know about.

Phishing

The first is phishing. An attacker sends a convincing email that appears to come from Microsoft, a bank, or your own IT team. The user clicks the link, enters their username and password on a fake login page, and the attacker now has their credentials. It is simple, effective, and people still fall for it every single day.

Password Spray

The second is password spray. Rather than hammering a single account with thousands of password attempts, which lockout policies catch quickly, attackers try one common password against thousands of different accounts. Most accounts will not match, but enough will. Because each account only sees a single failed attempt, traditional lockout policies do not catch it.

Credential Stuffing

The third is credential stuffing. If an email address and password were ever exposed in a data breach, there is a good chance they are sitting in a database right now. Attackers take that list and automatically try it against Microsoft 365, Azure, and hundreds of other services. If the password was reused anywhere, they are in.

Why MFA Changes Everything

Multi-Factor Authentication (MFA) adds a second layer of verification on top of a password. Even if an attacker has a user’s password, they cannot get in without the second factor, which might be a push notification to a phone, a code from an authenticator app, or a physical security key.

According to Microsoft, enabling MFA blocks over 99% of account compromise attacks. That is not a small improvement. That is a transformational shift in your security posture, and it is the single biggest thing you can do to protect your users.

Identity Is the New Perimeter

You have probably heard the security term Zero Trust. It sounds complicated, but the core idea is straightforward. In the old model of IT security, the focus was on protecting the network perimeter. If you were inside the corporate network, you were trusted. If you were outside, you were not. Firewalls and VPNs defined the boundary.

That model does not work anymore. Users are working from home, coffee shops, and airports, often on devices the company does not own or manage. Applications live in the cloud. Data moves everywhere. There is no perimeter left to protect.

With Zero Trus, instead of trusting the network, every single sign-in is verified. Who is the user? Are they on a trusted device? Where are they signing in from? Is this normal behavior for that account? A decision is made every time based on those factors. That is exactly what Conditional Access does in Microsoft Entra ID, and we will dig into that deeply in Parts 2 and 3 of this series.

Getting Started in the Entra ID Portal

In the video that accompanies this post, we take a tour of the Microsoft Entra ID portal and walk through three things every admin should look at when getting started with identity security.

The first stop is Sign-In Logs, found under the Monitoring section of Entra ID. This is where you can see every authentication attempt happening across your tenant in near real time. You can filter by success or failure, open individual events to see the user, application, IP address, location, and device, and start spotting suspicious activity immediately. It is one of the most useful tools available for both security monitoring and troubleshooting.

The second stop is the Identity Security Score, found under Security and then Manage. Think of this as a security report card for your tenant. It shows your current score, breaks down the areas where you are doing well, and lists specific improvement actions Microsoft recommends. Requiring MFA for administrators is almost always near the top of that list. The goal is not a perfect score but continuous improvement over time.

The third stop is Security Defaults. This is Microsoft’s baseline MFA protection and the simplest way to get started. When enabled, Security Defaults enforce MFA registration for all users, require MFA for administrators on every sign-in, and block legacy authentication protocols. It is a single toggle that delivers immediate, meaningful protection for tenants that are not yet ready to build custom Conditional Access policies.

To enable Security Defaults, follow these steps:

  1. Sign in to the Azure portal and open Entra ID.
  2. Select Properties from the left navigation.
  3. Scroll to the bottom of the page and select Manage Security Defaults.
  4. Toggle Security Defaults to Enabled.
  5. Select Save and communicate the change to your organization.

Note that Security Defaults will not be available if you already have Conditional Access policies enabled in your tenant.

What the MFA Registration Experience Looks Like

Once Security Defaults are enabled, users will be prompted to register for MFA the next time they sign in. The registration flow walks them through downloading the Microsoft Authenticator app, scanning a QR code to link their account, and confirming the setup with a test notification. Most users can complete the process in under two minutes, and Microsoft provides clear guidance at each step.

Admins can also direct users to aka.ms/mfasetup to complete registration proactively before the prompt appears at sign-in. This is a good option if you want to get ahead of the rollout and reduce helpdesk calls.

Take Action Today

Identity-based attacks are not slowing down, and passwords alone are no longer a reasonable defense. The tools covered in this post are built into Microsoft 365, they are not difficult to configure, and the impact is immediate. If your organization has not yet enabled MFA, today is the right day to start. Head to the Entra ID in the Azure portal, check your Identity Security Score, and take that first step toward a more secure environment.

Watch the full video and subscribe to the channel so you do not miss the rest of the series.

Links:

A Beginner’s Guide to the AZ-900
https://www.udemy.com/course/beginners-guide-az-900/?referralCode=C74C266B74E837F86969

Zero to Hero with Azure Virtual Desktop
https://www.udemy.com/course/zero-to-hero-with-windows-virtual-desktop/?referralCode=B2FE49E6FCEE7A7EA8D4

Hybrid Identity with Windows AD and Azure AD
https://www.udemy.com/course/hybrid-identity-and-azure-active-directory/?referralCode=7F62C4C6FD05C73ACCC3

Windows 365 Enterprise and Intune Management
https://www.udemy.com/course/windows-365-enterprise-and-intune-management/?referralCode=4A1ED105341D0AA20D2E

Password Strength
https://xkcd.com/936/

7000 Passwords Per Second
https://www.usnews.com/news/business/articles/2025-07-29/microsoft-authenticator-is-ending-password-autofill-soon-how-to-set-up-a-passkey-before-aug-1

MAF Prevents 99.9% of Attacks
https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/

Security Defaults
https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Click Here!
Scroll to Top