Setting Up MFA in Microsoft 365

by Jon Lober | NOC Technology

A Non-Technical Guide

Your IT person just told you that you need to set up MFA on your Microsoft 365 account. You're probably thinking: "What's MFA? Will I lose access to my email? How long will this take? Is it actually necessary, or is this just one more annoying tech thing I have to deal with?"


Those are fair questions. MFA has a reputation for being confusing and inconvenient, but it doesn't have to be either. This guide will walk you through what MFA actually is, why your IT team is pushing for it, and exactly how to set it up on your Microsoft 365 account—even if you don't consider yourself "tech-savvy."

What Is MFA, Really?

MFA stands for Multi-Factor Authentication. In plain English, it means you need two things to log in instead of just one.

Think of it like a safe deposit box at a bank. You can't open the box with just your key—the bank also needs to use their key. Neither key works alone. MFA works the same way: your password is one key, and your phone is the other. Even if someone steals your password, they still can't get in without your phone.


The "factors" in multi-factor authentication are just different ways of proving you're you. Usually, it's something you know (your password) plus something you have (your phone). Some systems add a third factor, like something you are (fingerprint or face recognition), but for most business purposes, two factors are enough.


The reason your IT team wants this is straightforward: passwords alone don't work anymore. People reuse them. They get leaked in data breaches. They get guessed. Adding that second factor closes the gap between a stolen password and a compromised account.

Why MFA Matters for Your Business

Here's what actually happens when someone doesn't have MFA enabled and their password gets compromised.

Attackers don't just read your email—they use your account as a launching pad. They'll search your inbox for banking information, client data, wire transfer instructions, and anything else valuable. Then they'll set up email forwarding rules so they can monitor your conversations without you knowing. They'll wait for the right moment (usually when you're about to send or receive money) and redirect the payment to their own account.


This isn't hypothetical. We've seen it happen to St. Louis businesses. A construction company had their bookkeeper's email compromised. The attackers monitored emails for two weeks, then intercepted a $47,000 payment by sending a fake invoice that looked identical to the real one. By the time anyone noticed, the money was gone.


The FBI's Internet Crime Complaint Center reports that business email compromise (BEC) attacks cost U.S. businesses over $2.9 billion in 2023 alone. Most of those attacks started with a compromised email account that didn't have MFA enabled.


This isn't about fear-mongering. It's about understanding why that extra login step exists. Yes, MFA adds friction. But compare a few extra seconds at login to explaining to your clients why their data was exposed, or to your bank why you wired money to criminals.

MFA Methods: Which One Should You Use?

Microsoft 365 supports several MFA methods. Here's what each one means for you:


Authenticator App (Microsoft Authenticator) - This is the recommended option for most people. You install an app on your phone that generates a code or sends you a push notification when you log in. It's fast, works offline, and doesn't require cell service. The biggest advantage: even if someone intercepts your SMS messages (which happens more than you'd think), they can't get into your account.


SMS Text Message - Microsoft sends a code to your phone via text. This is easier to understand, but less secure than the authenticator app. Attackers can sometimes intercept text messages through SIM-swapping attacks, where they convince your phone carrier to transfer your number to their device. If you're using SMS and want to upgrade to the authenticator app later, you can. It only takes a few minutes.


Phone Call - Microsoft calls you and you press a key to verify. This works if you don't have a smartphone, but it's slow and inconvenient. Most people move away from this method after a few weeks.


Security Key - This is a physical device (like a YubiKey) that you plug into your computer or tap to your phone. It is the most secure option, but it requires buying hardware and carrying it with you. Most small businesses don't need this level of security unless they're in a high-risk industry.


For most employees, the Microsoft Authenticator app is the right choice. It balances security and convenience, and Microsoft has designed it to be as seamless as possible.

Step-by-Step: Setting Up Microsoft Authenticator

Here's exactly how to set up MFA with the Microsoft Authenticator app. This process takes about five minutes.

Before you start, download the Microsoft Authenticator app on your phone. It's free and available in both the Apple App Store and Google Play Store. Search for "Microsoft Authenticator." Make sure it's the official app from Microsoft Corporation.


Step 1: On your computer, go to https://aka.ms/mfasetup and sign in with your Microsoft 365 email and password.


Step 2: You'll see a screen that says "More information required." Click "Next."


Step 3: Microsoft will ask how you want to prove your identity. Select "Mobile app" and choose "Receive notifications for verification." Click "Set up."


Step 4: A QR code will appear on your screen. This is what connects your phone to your account.


Step 5: On your phone, open the Microsoft Authenticator app. Tap the plus sign (+) to add an account. Select "Work or school account," then "Scan a QR code."


Step 6: Point your phone's camera at the QR code on your computer screen. The app will automatically add your account.


Step 7: Back on your computer, click "Next." Microsoft will send a test notification to your phone.


Step 8: On your phone, you'll see a notification asking you to approve the sign-in. Tap "Approve."


Step 9: You're done. Click "Next" on your computer to finish the setup.

From now on, when you sign into Microsoft 365, you'll enter your password as usual, then get a notification on your phone asking you to approve the login. Tap "Approve" and you're in. The whole process adds about three seconds to your login.


We've helped dozens of Greater St. Louis businesses get their teams through MFA rollouts without losing productivity. The most common feedback after setup is: "That was easier than I expected."

Troubleshooting: What If Something Goes Wrong?

Even with a smooth setup, things can go sideways. Here's how to handle the most common problems.


You lost your phone or got a new one. This is the most common issue. Before you panic, check if you set up backup methods during your MFA setup. If you have a backup phone number or another authentication method, you can use that to log in. If not, contact your IT administrator—they can temporarily disable MFA on your account so you can set it up again on your new phone. For businesses we work with in the Missouri area, this is usually a same-day fix.


You're not getting the notification. First, make sure your phone has internet access (Wi-Fi or cellular). If notifications still aren't coming through, open the Authenticator app and try using the 6-digit code instead—the app generates a new code every 30 seconds. Enter that code on your computer instead of waiting for the push notification.


The code isn't working. The most common cause is time sync issues. Make sure your phone's date and time are set to automatic. In the Authenticator app, go to Settings and tap "Time correction for codes" to sync the app's clock.


You're locked out and can't get in at all. Contact your IT administrator. They have the ability to reset your MFA settings so you can start fresh. This is why it's important to have a responsive IT team—getting locked out of your email for days while waiting for a support ticket is painful.


Set up backup options now, not later. During setup, Microsoft gives you the option to add a backup phone number or set up backup codes. Do this. Write down the backup codes and store them somewhere safe (not in your email). When your phone dies or gets stolen, you'll be grateful you did.


The extra step MFA adds to your login is real, but it's measured in seconds, not minutes. What it prevents—account takeovers, data breaches, financial fraud—is measured in thousands of dollars and months of cleanup. That's a trade worth making.


If you're rolling out MFA to a team and want to make sure it goes smoothly, we publish our managed IT pricing because we think you should know what IT support costs before you pick up the phone.

Frequently Asked Questions

What happens if I lose my phone? +
If you set up backup methods during MFA configuration, you can use those to sign in. If not, contact your IT administrator - they can temporarily reset your MFA so you can set it up on a new device. This is why we always recommend saving backup codes somewhere safe (not in your email) during initial setup.
Does everyone in my company need MFA? +
Yes. Microsoft now enables "security defaults" on all new tenants, which requires MFA for everyone. Even if your account doesn't have sensitive data, attackers can use a compromised account to send phishing emails to coworkers or clients. Every account is a potential entry point.
Will MFA slow me down every time I check my email? +
Not really. Microsoft remembers your device for 90 days by default, so you won't get prompted every single login. You'll typically only see MFA prompts when signing in from a new device, a new location, or after clearing your browser cookies. On familiar devices, it's mostly invisible.
Is SMS verification good enough, or do I need the app? +
SMS is better than nothing, but the authenticator app is more secure. SMS messages can be intercepted through SIM-swapping attacks, where criminals convince your phone carrier to transfer your number to their device. The app generates codes locally on your phone, so there's nothing to intercept.
What if I don't have a smartphone? +
You can use phone call verification instead - Microsoft will call you and ask you to press a key. You can also use a physical security key that plugs into your computer. Talk to your IT administrator about which option works best for your situation.
Can I use the same authenticator app for multiple accounts? +
Yes. The Microsoft Authenticator app can hold multiple accounts - your work account, personal Microsoft account, and even accounts from other services like Google or Amazon. Each one appears as a separate entry in the app, making it easy to manage all your MFA in one place.
How do St. Louis businesses typically handle MFA rollout? +
Most businesses we work with in the Greater STL area roll out MFA in phases - starting with executives and finance, then expanding to the full team over a few weeks. This gives IT time to support anyone who has trouble, and lets people get used to the change gradually rather than all at once.
docusign scam

How to Protect Your Business from DocuSign and Email Phishing Scams

By Jon Lober March 30, 2026
Learn how to protect your St. Louis business from DocuSign phishing and email scams. Technical defenses, team training, and policies that stop attacks.

What Is a Next-Generation Firewall?

By Jon Lober March 23, 2026
Learn what a next-generation firewall does and why traditional firewalls miss modern threats. A practical guide for Missouri business owners.

IT Security Requirements for Missouri Law Firms

By Jon Lober March 20, 2026
Missouri law firms face specific IT security requirements under bar ethics rules. Learn what technology safeguards you need to stay compliant and protect client data.
More Articles