Step-by-step instructions for enabling multi-factor authentication on your school's Google Workspace or Microsoft 365 accounts.
Multi-factor authentication (MFA) is the single most effective security measure your school can implement. Microsoft reports that MFA blocks over 99.9% of account-compromise attacks.
After the Catholic School Google Workspace breach — where a teacher's reused password led to 1,200 student records being exposed — the message is clear: if your school doesn't have MFA, you're one stolen password away from a breach.
Step 1: Sign in to your Google Admin console (admin.google.com)
Step 2: Go to Security → Authentication → 2-Step Verification
Step 3: Check "Allow users to turn on 2-Step Verification"
Step 4: Under Enforcement, select "Turn on enforcement"
Step 5: Set the enrollment period:
Step 6: Choose allowed methods:
Step 7: Click Save
Heads-up: Google is rolling out mandatory 2-Step Verification for Workspace administrators, including Workspace for Education. Super admins are notified roughly 90 days before enforcement begins — enrol early and confirm everyone has a backup method to avoid lockouts.
Step 1: Go to myaccount.google.com → Security
Step 2: Under "Signing in to Google," click 2-Step Verification
Step 3: Click Get Started and enter your password
Step 4: Choose your method:
Step 5: Add a backup method (backup codes or backup phone)
Step 6: Save your backup codes in a safe place
2025 update: Microsoft retired the legacy per-user MFA portal (the old Enabled / Enforced states under Org settings) on September 30, 2025. MFA is now turned on with Security Defaults or Conditional Access, and methods are managed in the Microsoft Entra admin center (entra.microsoft.com).
Option A — Security Defaults (free, simplest, good for most schools):
Step 1: Sign in to the Microsoft Entra admin center (entra.microsoft.com) as a Global Administrator
Step 2: Go to Entra ID → Overview → Properties
Step 3: Select Manage security defaults
Step 4: Set Security defaults to Enabled and save — this requires MFA for every user and blocks legacy (password-only) sign-in protocols
Option B — Conditional Access (more control; needs a Microsoft Entra ID P1 license, included with many Education plans):
Step 1: In the Microsoft Entra admin center, first turn off Security Defaults — the two can't run at the same time
Step 2: Go to Protection → Conditional Access → Policies
Step 3: Select + New policy from template and pick the Require multifactor authentication template
Step 4: Scope it to All users (exclude one break-glass admin account), then set Grant → Require multifactor authentication
Step 5: Switch the policy from Report-only to On and save
Microsoft now also mandates MFA to sign in to its own admin centers (Entra, Azure, Intune), so enrol admin accounts first.
Step 1: Sign in at microsoft365.com (formerly office.com)
Step 2: When prompted for additional verification, click Next
Step 3: Install the Microsoft Authenticator app on your phone
Step 4: In the app, tap + → Work or school account → scan the QR code
Step 5: Complete the test verification
"It's too inconvenient" → MFA prompts are needed only on new devices or every 30 days. It takes 5 seconds.
"I don't have a smartphone" → Hardware security keys work too. Or use backup codes.
"Our staff won't learn it" → Authenticator apps are straightforward — setup takes under 5 minutes, and daily use is just tapping "approve" on a notification.
"We've never been hacked" → That you know of. 80% of breaches involve compromised credentials.
After enabling MFA, consider checking the rest of your security posture: