Cyber Essentials
DashboardSign Out

Lesson 6.4 — Multi-factor authentication: cloud services, users, administrators and supplier access

This lesson helps the learner understand the Cyber Essentials multi-factor authentication requirement.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • identify which systems and accounts require MFA
  • explain why cloud services need MFA
  • choose appropriate MFA methods
  • recognise weak or incomplete MFA implementations
  • review administrator and supplier MFA coverage
  • produce evidence that MFA is enabled and enforced.

Why This Matters

It explains what MFA is, why cloud services need MFA, how MFA applies to standard users, administrators, suppliers and remote access, what counts as a second factor, and how to evidence MFA without collecting secrets or recovery codes.

The most common problems are:

  • assuming MFA is enabled because the service supports it;
  • enabling MFA for admins only;
  • forgetting standard users;
  • forgetting cloud services outside Microsoft 365;

The Core Rule

MFA makes account compromise harder by requiring more than one authentication factor.

Cloud services should always use MFA.

What the CE Assessor Looks For

A strong position shows:

  • all cloud services are identified;
  • MFA is enforced for cloud service access;
  • MFA is enabled where available for other in-scope services;
  • administrators use MFA;
  • supplier accounts use MFA;
  • remote access uses MFA;

Common Mistakes

  • assuming MFA is enabled because the service supports it;
  • enabling MFA for admins only;
  • forgetting standard users;
  • forgetting cloud services outside Microsoft 365;
  • forgetting SaaS tools bought by departments;
  • forgetting password managers;

Copy This

Keep this rule visible:

If an account gives access to organisational data or services, check whether MFA is available, enable it where required, and keep evidence that it is enforced.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What is MFA?
  • [ ] Why is MFA important?
  • [ ] What does Cyber Essentials expect for cloud services?
  • [ ] Is MFA only needed for administrator accounts?
  • [ ] Why are supplier accounts included in the MFA review?

Your Action

Do this now — it takes 10–20 minutes.

Check MFA status on every cloud service in your scope list. Record for each: enabled, not enabled, or not available. Add to Section UAC.

Key Takeaway

If an account gives access to organisational data or services, check whether MFA is available, enable it where required, and keep evidence that it is enforced.

Your Workbook Activity

Complete: MFA coverage and enforcement review record

Next Lesson

In the next lesson: Password-based authentication: password quality, technical controls and user guidance

Up next

Password-based authentication

Enforce robust password-based authentication controls and supporting user guidance.