Case Study :Implementing Multi-Factor Authentication (MFA) and Conditional Access for 200 Users.
A mid‑sized firm operating from the historic Bradmill site needed to strengthen identity security as more staff worked remotely and relied on cloud services. By rolling out Multi‑Factor Authentication (MFA) and Conditional Access to 200 users, the organisation significantly reduced the risk of account compromise while keeping day‑to‑day access simple and efficient.
Client overview
The client is a growing business with around 200 staff across office, field, and remote roles, using Microsoft 365 as their primary platform for email, collaboration, and document management. Users regularly access corporate resources from different locations and devices, including home networks and mobile devices. The business handles commercially sensitive information and must protect customer and partner data from unauthorised access. Leadership wanted stronger identity security that would support flexible work without introducing unnecessary friction for staff.
Challenges
Prior to the project, most users authenticated with only a username and password, leaving the organisation exposed to phishing, password reuse, and brute‑force attacks. Security settings varied across accounts and devices, and there was no consistent way to distinguish low‑risk from high‑risk sign‑ins or block access from untrusted locations. IT had limited visibility into suspicious sign‑in patterns and lacked granular tools to enforce different controls for different user groups such as administrators, frontline staff, and contractors. There was also concern that a poorly planned MFA rollout could frustrate users and drive up support requests.
Our solution
We began with an assessment of existing Microsoft 365 and identity settings, including sign‑in logs, user types, and current security baselines. Working with stakeholders, we designed an identity‑centric security model that made MFA mandatory for all users and applied tailored Conditional Access policies based on role, device, and location. MFA was implemented using user‑friendly methods such as the Microsoft Authenticator app, with fallback options where appropriate, and rolled out in phases to minimise disruption. Conditional Access policies were configured to require compliant devices and MFA for sensitive applications, block legacy protocols, and challenge or restrict access from unusual locations or unmanaged devices.
Client experience
Users were guided through simple enrolment steps for MFA, supported by clear communications, FAQs, and short training sessions. After the initial adjustment period, most staff reported that the new sign‑in experience quickly became part of their normal workflow, especially when using the Authenticator app on their phones. Administrators and high‑privilege users gained stronger protections without losing productivity, thanks to policies tailored to their specific needs. The IT team saw fewer risky sign‑ins and gained better insight into authentication activity through centralised dashboards and alerts.
CIO | BradMill
Outcomes
The firm significantly reduced the likelihood of successful credential‑based attacks by enforcing MFA across all 200 user accounts. Conditional Access policies provided granular control over who could access which resources, from where, and under what conditions, improving the overall security posture without relying solely on network boundaries. Attempts to log in from suspicious locations or using legacy protocols were blocked or challenged automatically, reducing manual intervention. Overall, the organisation achieved a modern, identity‑based security approach that protects users and data while supporting flexible, cloud‑first ways of working.