Home Compliance & Certification Multi-Factor Authentication Policy Enforcement Guide

Multi-Factor Authentication Policy Enforcement Guide

Last updated on Sep 25, 2025

1. Purpose of this Guide

This artefact proves your company has enforced MFA across user accounts, not just made it optional. Cyber Essentials requires this because passwords alone are a rickety drawbridge; MFA adds a second gate — a code, token, or app approval — making it much harder for attackers to sneak in with stolen credentials.

2. What You Will Submit

You will need:

  • screenshot from your identity provider (IdP) or admin console showing:

    • MFA enforcement enabled for users.

    • Status that indicates “Enforced” or “Required”, not just “Available.”

    • Coverage across the organisation or specific groups (admins, staff, etc.).

3. How to Collect / Obtain / Generate This Evidence

For StrongKeep users:

  1. Log into the StrongKeep Password Manager → Reports

  2. Select MFA

  3. Click Generate Report.

  4. Download the screenshot/report.

Microsoft Entra (Azure AD):

  1. Go to Entra Admin Center → Users → Per-user MFA.

  2. Look for status = Enforced.

  3. Screenshot showing at least one enforced account (ideally all relevant users).

Google Workspace:

  1. Open Admin Console → Security → Authentication → 2-step verification.

  2. Ensure enforcement is ON for organisational units or all users.

  3. Screenshot showing enforcement, not just availability.

Okta / Other IdPs (Duo, OneLogin):

  1. Log into admin console.

  2. Navigate to Authentication / Security Policies.

  3. Screenshot showing MFA required for sign-ins.

4. Evidence Format

  • Accepted file types: PNG, JPG, PDF.

  • Suggested naming format:
    YourCompanyName_MFAEnforcement_YYYY-MM-DD.png
    Example: AcmeCorp_MFAEnforcement_2025-07-01.png

5. What “Good” Looks Like

  • Status clearly shows MFA enforced (not optional).

  • Screenshot taken from the official IdP console (Microsoft Entra, Google Admin, Okta, etc.).

  • Evidence covers all relevant staff — especially admins and high-privilege accounts.

Why it matters: auditors want assurance that MFA isn’t just “available in theory” but practically enforced across your systems.

6. Tips

  • Redact personal names or emails from the screenshot before upload.

  • Enforce MFA organisation-wide where possible; partial coverage may raise questions.

  • Combine this with your Access Request Process evidence to show end-to-end strong account security.