Cyber Essentials MFA Cloud Auto-Fail
MFA problems usually hide in the gaps between policy intent and tenant reality - broad exclusions, awkward guest access, old admin habits, and emergency accounts that nobody really monitors.
There is no polite version of this one.
The current Cyber Essentials position is that cloud service authentication must always use MFA, and IASME has highlighted auto-fail treatment for not implementing MFA where it is available. For Microsoft 365 environments, that moves MFA out of the "security improvement" bucket and into the "basic pass condition" bucket.
Quick answer
Do not rely on MFA registration reports. Prove enforcement through Security Defaults or Conditional Access, check exclusions, cover admin portals, understand guest behaviour, control authentication methods and document emergency accounts.
Who this affects
This affects Microsoft 365 tenants preparing for Cyber Essentials or Cyber Essentials Plus where Entra ID controls access to email, files, Teams, admin portals or other in-scope cloud services.
It matters most where the tenant has report-only policies, legacy MFA settings, broad exclusion groups, service accounts or old emergency accounts.
What usually goes wrong
| Gap | Why it matters |
|---|---|
| Broad Conditional Access exclusions | A good-looking policy can still leave whole groups outside enforcement |
| Admin portals not treated as high priority | The accounts with the most power need the least ambiguity |
| Guest access assumptions | External users can still become a weak point if trust settings are not understood |
| Legacy policy sprawl | Older CA policies can overlap badly and create strange results |
| Emergency accounts without controls | Break-glass is fine. Break-glass plus zero monitoring is not fine |
One practical rule helps here: if you cannot explain why an exclusion exists in one sentence, it probably should not be there.
What to check first
| Check | Where to look | Bad sign |
|---|---|---|
| User MFA enforcement | Security Defaults or Conditional Access | Only registration evidence exists |
| Admin MFA enforcement | CA targeting admin roles/admin portals | Admin portals are not explicitly covered |
| Exclusions | CA policy exclusions and named groups | Temporary groups with no owner |
| Legacy authentication | Sign-in logs and CA controls | Basic auth still visible |
| Guest behaviour | Cross-tenant and guest access settings | Nobody knows what guests must do |
| Emergency accounts | Account list, storage and monitoring | No alerting or review date |
Evidence to collect
| Question | Evidence |
|---|---|
| Are users required to do MFA? | Conditional Access policy export or screenshots showing scope and grant controls |
| Are admin paths covered? | Separate policy or documented coverage for admin portals and privileged roles |
| Are there exclusions? | Named exclusion list with owner and reason |
| Are methods controlled? | Authentication methods policy |
| Are emergency accounts governed? | Account list, storage method, alerting process and review notes |
If all you have is one screenshot of a policy name, you do not really have evidence yet.
Fix path
- Decide whether Security Defaults or Conditional Access is the active enforcement model.
- Target all users and in-scope cloud apps unless a documented reason says otherwise.
- Add explicit admin coverage for privileged roles and admin portals.
- Remove stale exclusions and put expiry dates on the ones that remain.
- Review authentication methods and phase out weak methods where possible.
- Document emergency accounts and alert on their use.
- Test with a normal user and an admin before assessment.
Common mistakes
The common mistake is reviewing registration, not enforcement. A registered user can still avoid MFA on the access path that matters.
Another mistake is treating emergency accounts as outside the control. They need a design, owner, alert and review trail.
Related route
For the matching service path, use Cyber Essentials Plus readiness.
References
Related notes
20 Apr 2026 · 3 min
Related: cyber essentials plus, microsoft 365, cloud services.
02 Apr 2026 · 3 min
Related: conditional access, entra id, microsoft 365.
15 Jan 2026 · 4 min
Related: mfa, entra id, conditional access.
Need help mapping this to your own tenant, controls, or assessment timeline?