5 July 2026
Multi-factor authentication is one of the most common reasons businesses fail Cyber Essentials. Here's exactly what MFA is required, where it applies, and how to get compliant.
Multi-factor authentication (MFA) — sometimes called two-factor authentication or 2FA — is one of the most frequently misunderstood requirements in Cyber Essentials v3.3. It is also one of the most common reasons businesses fail their assessment. This guide explains exactly what is required, where it applies, and the most common gaps we see in practice.
Under Cyber Essentials v3.3 (the current standard as of April 2026), MFA is mandatory in two specific areas:
This applies to ALL user accounts — not just administrators. This is a common misconception. If a standard employee can log into Microsoft 365 without MFA, your business will fail the assessment, regardless of whether admin accounts are protected.
Cyber Essentials accepts several forms of MFA as compliant:
Email-based one-time codes do NOT count as MFA for Cyber Essentials purposes, since email itself may be the account being accessed.
In our pre-checks, these are the MFA gaps that come up most frequently:
For Microsoft 365, the recommended approach is to use Azure AD Conditional Access (available on Microsoft 365 Business Premium or higher) to require MFA for all sign-ins. For smaller plans without Conditional Access, enable Security Defaults in the Azure AD portal — this enforces MFA for all users and blocks legacy authentication.
Our free pre-check includes specific questions about MFA across cloud services and remote access. If you answer any of them as PARTIAL or NO, we'll flag the exact gap and tell you how to fix it. Book a free 30-minute call and we'll review your MFA configuration with you.
// TAKE THE NEXT STEP
Our RADAR_CHECK questionnaire takes 10 minutes. Book a free 30-minute call and we'll walk you through your results and tell you exactly what to fix.
START FREE CHECK >>