Article
Deploying multi-factor authentication in Microsoft 365 is one of the highest-impact security moves a mid-market business can make. Done wrong, it breaks Outlook for a third of your users on day one. Here is how AI-powered authentication is transforming security in the Carolinas, and how to get the rollout right.
Multi-factor authentication is not a new idea. The security case for requiring a second factor before granting access to email, files, and business applications has been settled for years. What has changed is the urgency: compromised credentials are now the most common entry point for business email compromise, ransomware, and data breaches affecting mid-market companies in North and South Carolina.
And yet, a significant portion of businesses we audit in the Greenville, Charlotte, and Raleigh-Durham areas still have either no MFA or a partial implementation with gaps large enough to walk through. The reason is not ignorance of the risk. It is the rollout problem.
MFA done wrong creates an immediate, visible disruption. Outlook stops connecting for users still on legacy authentication protocols. Mobile email clients throw password prompts in a loop. Service accounts break. And the helpdesk phone starts ringing on day one. When that happens, the path of least resistance is to roll it back and declare the effort too disruptive.
This playbook is about how to do it so that does not happen, and why the AI-powered authentication capabilities inside Microsoft Entra ID change what is possible for Carolinas businesses that complete the deployment correctly.
The common failure modes follow a predictable pattern.
Legacy authentication is not blocked before MFA is enabled. Legacy auth protocols, specifically SMTP AUTH, IMAP, POP3, and Basic Authentication, do not support MFA. When you enable MFA without blocking these protocols, users who are still connecting through them see authentication failures that look like their password stopped working. This is the number one source of Outlook disruption in a botched MFA deployment.
Service accounts and shared mailboxes are not inventoried. Most Microsoft 365 tenants have service accounts connected to line-of-business applications, copier scan-to-email functions, monitoring tools, and automated workflows. These accounts are not designed for interactive MFA. Enabling MFA tenant-wide without identifying them in advance breaks the workflows that depend on them.
The Authenticator app is not pre-staged. If your users arrive at work on rollout day and the first thing they see is a prompt to register an authentication method they have never heard of, you will spend the next two hours on the phone. Authenticator registration needs to happen before enforcement, not at the moment of enforcement.
Conditional Access policies are written too broadly. A policy that applies MFA to every sign-in from every device, including trusted corporate machines on the internal network, creates friction that is not proportional to the actual risk. That friction breeds workarounds, shadow IT, and deployment rollback.
Microsoft 365 authentication has two paths. Modern authentication uses OAuth 2.0 tokens and supports MFA, Conditional Access, and device compliance checks. Legacy authentication uses Basic Auth, which sends a username and password in each request and has no mechanism to inject a second factor.
When you enable MFA on a user account, Microsoft starts requiring the second factor on the modern auth path. But if that user’s Outlook client is still connecting through legacy auth, which is still the default behavior for some older Outlook versions and many third-party mail clients, the connection bypasses MFA entirely and continues working on username and password alone. The user never sees an MFA prompt, and you have a false sense of security.
The correct sequence is to block legacy authentication first, confirm that all your users and applications have shifted to modern auth, and then enable MFA. Reversing the order breaks things. Following the order does not.
One meaningful shift in how Microsoft handles authentication over the past two years is the integration of AI-powered risk signals into the sign-in process. This is where the technology stops being a simple checkbox and starts being a genuine transformation in how Carolinas businesses can defend themselves.
Entra ID Protection uses machine learning models trained on signals from billions of Microsoft sign-ins to identify patterns that indicate credential compromise. Unfamiliar sign-in locations. Impossible travel between two authentications. IP addresses associated with credential spray campaigns. Token replay from an unusual device. These signals feed a real-time risk score attached to each sign-in.
Conditional Access policies can act on that score. A low-risk sign-in from a compliant device on the corporate network might flow through with no friction. The same user signing in from an unrecognized browser at 2 AM from an overseas IP address triggers a step-up authentication requirement or blocks the attempt entirely.
This is a materially different model from the flat MFA rule that many businesses default to. Flat MFA treats every sign-in as equally suspicious and adds friction uniformly. Risk-based Conditional Access applies friction where the risk justifies it and removes friction where it does not. For a 100-person company in Greenville where half the workforce is mobile and the other half is at a fixed desk, the right policy is not identical for both groups.
Entra ID P2 is required for risk-based Conditional Access policies. It is included in Microsoft 365 E5 and is available as an add-on for E3 tenants. For businesses with meaningful compliance exposure, the investment is worth evaluating as part of the overall security roadmap.
Before enabling MFA for any user, complete the following.
Audit legacy authentication usage. In the Entra admin center, open Sign-in logs and filter by Client App. Look for connections showing SMTP AUTH, IMAP, POP3, Exchange ActiveSync with Basic Auth, and Exchange Web Services with Basic Auth. Document every account still using these protocols.
Identify all service accounts. Pull the full user list from the Microsoft 365 admin center and tag every account that is not associated with a human: printer and copier scan-to-email, SIEM integrations, monitoring agents, line-of-business application connectors, and automated reporting tools. These need to move to app-only modern auth or certificate-based authentication before MFA is enabled.
Inventory Outlook and mail client versions. Outlook 2013 and earlier does not support modern authentication by default. Outlook 2016 supports it with a registry key. Outlook 2019 and Microsoft 365 Apps use it by default. Know what is in your environment. Any client that does not support modern auth needs to be updated or migrated before enforcement.
Enable the Authentication methods policy. In the Entra admin center, confirm that the Microsoft Authenticator app is enabled as an authentication method for your tenant. This is the target method for most business users.
Create a test group. Never run a Conditional Access policy against your entire tenant on day one. Create a security group, add five to ten volunteer users from different departments, enable MFA for the group, and validate the experience before expanding.
The first production step is blocking legacy authentication protocols.
In the Entra admin center, create a Conditional Access policy that targets all users, targets the Exchange Online and SharePoint Online apps, selects the client app conditions SMTP AUTH, Exchange ActiveSync, IMAP4, POP3, Other Clients, and sets the action to Block Access.
Before you enforce this policy, switch it to Report-Only mode for two weeks. Report-Only mode evaluates every sign-in against the policy and logs whether it would have been blocked, without actually blocking anything. Review the sign-in logs for the report-only period to find any legitimate connections that would break.
For printers and copiers that send mail through SMTP AUTH, the migration path is to configure them to use Microsoft 365 SMTP relay through a send connector, which does not require per-user authentication and is not affected by the legacy auth block. Document each device, test the relay configuration, and confirm it is working before you enforce the block.
For line-of-business applications still using Basic Auth, coordinate with the vendor or your development team to migrate to OAuth 2.0 app registration. Most modern application frameworks support this. For legacy applications that do not, the options are an application proxy, service principal credentials with certificate-based auth, or a planned migration timeline.
Once you are confident that no legitimate traffic will be blocked, switch the legacy auth policy from Report-Only to Enabled.
Before enforcement, get every user registered with an authentication method.
The smoothest approach is to push a communication to all users explaining that a security update requires them to register the Microsoft Authenticator app. Include a link to the self-service registration page at mysignins.microsoft.com, a link to the Authenticator app in the App Store or Google Play, and a deadline.
For users without personal smartphones who cannot install Authenticator, configure OATH hardware tokens or FIDO2 security keys as alternatives. Phone call and SMS OTP are options for edge cases, though they are lower-assurance methods than app-based authentication and are worth reserving for genuine exceptions.
Track registration status in the Entra admin center under Users > Authentication methods. Set a deadline and follow up with managers for any users who have not registered by the date. Do not proceed to enforcement until registration coverage is above 95 percent for the groups you are targeting.
Do not use the legacy Per-User MFA setting in the Microsoft 365 admin center. It is being phased out and creates management complexity. Use Conditional Access.
Create a Conditional Access policy:
Run the pilot group in Report-Only for one week, review the sign-in logs, and validate that the experience is what you expect. Then enable enforcement for the pilot group and monitor helpdesk volume for one to two weeks.
After a stable pilot period with no significant disruption, expand to your next group. Continue in waves until the policy covers all users. The total deployment timeline for a 100-person company done carefully is four to six weeks from pre-deployment audit to full enforcement.
Once baseline MFA is running, refine the policy with trusted network exceptions.
In the Entra admin center, define Named Locations for your office IP ranges. Create a Conditional Access policy that excludes these locations from the MFA requirement for compliant, domain-joined devices. Users at a trusted desk on a managed device get a lower-friction experience. Users on personal devices from home or traveling still get MFA.
This is the difference between a security control that employees work around and one they accept as part of normal workflow. The friction reduction for trusted sign-ins has a measurable effect on adoption rates and support volume.
MFA is not the destination. It is the current standard. The direction Microsoft and the broader identity industry is moving is passwordless authentication: a model where the shared secret is eliminated entirely and replaced with cryptographic proof tied to a registered device.
Microsoft Authenticator supports passwordless phone sign-in, which uses a push notification to the registered device and a biometric or PIN confirmation. FIDO2 security keys provide hardware-based passwordless authentication that works across browsers without any app. Windows Hello for Business integrates face or fingerprint recognition into the sign-in flow for managed Windows devices.
For a Carolinas business that has completed its MFA rollout and is now looking at what comes next, passwordless authentication is the right long-term target. It eliminates credential phishing as a risk category entirely. A phishing page that captures a password gets nothing useful if the password is not used in the first place.
The migration path is not binary. You can move roles and user groups to passwordless incrementally, starting with your highest-risk accounts such as executives and IT administrators, and expanding as the organization builds confidence in the new workflow.
The risk signal layer that sits underneath Conditional Access is worth understanding concretely, because it represents a genuine transformation in what a mid-market business can defend against without a dedicated security operations team.
When Entra ID Protection flags a sign-in as high risk, it is drawing on a model trained on Microsoft’s global authentication telemetry. That telemetry includes signals from honeypot accounts designed to capture credential spray traffic, intelligence about IP addresses associated with known threat actors, patterns of account behavior that precede confirmed compromises, and anomaly detection against each user’s baseline sign-in behavior.
For a Carolinas manufacturing company or professional services firm that does not have analysts watching logs around the clock, this represents AI-powered threat detection operating continuously in the background. The AI is doing the signal processing and surfacing the sign-ins that need human attention.
The practical implication: a user whose credentials were sold in a dark web breach gets their account flagged before your security team runs a manual report. The risk-based policy steps up the authentication requirement on the anomalous sign-in, and your security team gets an alert to investigate. Without this capability, that same breach plays out silently until someone notices unusual email forwarding or exfiltrated data.
This is what AI transforming business security looks like in practice. Not a dramatic product announcement, but a continuous, machine-speed review of authentication events that would be impossible to replicate with manual processes at mid-market scale and budget.
For businesses in eastern North Carolina, including Pitt County and the surrounding counties, the threat profile that makes MFA urgent is specific. Business email compromise targets companies in professional services, construction, healthcare, and manufacturing, the sectors that make up the regional economy.
Business email compromise works by compromising one account, usually through a phishing link or a credential spray against a tenant with weak authentication, and then using that access to monitor email conversations until a financial transaction is in motion. The attacker diverts a payment by impersonating the compromised user and redirecting wire transfer or ACH instructions.
The losses from successful BEC attacks against businesses of this size typically run from $50,000 to $500,000 per incident. Cyber insurance carriers are tightening coverage requirements, and many policies now have explicit MFA requirements in the underwriting questionnaire. Answering “no” to those questions either increases your premium significantly or results in declined coverage.
MFA is not a complex technology investment for a company of this size. The Microsoft Authenticator app is free. The Conditional Access tooling to configure a reasonable policy is included in Microsoft 365 Business Premium and E3. The primary cost is implementation work and user communication. That investment has a measurable return before the first prevented incident.
The pre-deployment audit is the first step and the one most businesses skip. Do not enable MFA before you know what legacy authentication your tenant is using and where your service accounts are. The audit takes half a day. Skipping it costs you a week of disruption and a potential rollback.
If you want help with the audit, the policy design, or the rollout, this is work we do regularly for businesses across North and South Carolina. Get in touch and we can walk through your tenant’s current state and what a deployment timeline looks like for your organization.
— Continue reading
AI-powered attacks now target privileged accounts first. Here is how North and South Carolina mid-market businesses are using Microsoft Entra Privileged Identity Management to shrink the blast radius before the breach happens.
AI is making phishing, credential theft, and lateral movement faster and harder to detect. Here is what Zero Trust looks like in practice on the Microsoft stack for North and South Carolina businesses in 2026.
Achieving SOC 2 Type II used to mean months of manual evidence collection and expensive consultants. For Carolinas SaaS companies and technology businesses, AI-powered Microsoft 365 tools are compressing that timeline significantly. Here is what is actually working.
— Related services
Practical Microsoft-stack security: identity hardening, endpoint protection, email and data security, and the documentation auditors actually ask for.
Tailored Microsoft 365 plans, deployment, and ongoing support — designed for businesses that need reliable productivity infrastructure without the in-house overhead.
Greenville-area IT support from a Microsoft Partner. Support agreements, project work, and the team you call when something breaks.
