 David says, I have a company that currently does not have two-factor authentication enabled. What will be the least disruptive way to enable it for them? One of my concerns is that a lot of folks may not remember their passwords. Really? If I enable 2FA, will they be able to use all their apps or will they be forced to sign in after 2FA is enabled? With the easiest thing to be to send a company-wide email with the link to the 2FA page for them to register and just deal with any forgotten passwords at that point. Thanks for the tips. I did a MFA rollout from an adoption perspective not that long ago. Generally, most organizations don't even do an adoption like a full change, comms training, they often don't even do that. Yeah, that's it. It's like we're lighting it up and get started. For getting their passwords, look, you'll get a certain percentage that might, but you can also enable them to do it themselves to fix it. So you don't have to manage it. But we found that we just did email going out that it was going to be turned on. This is the countdown for it. Get yourself ready, get yourself registered. So you can go through that registration process to be ready, and then it was you either do it yourself or we will force you to in a week's time. So they were pretty compliant as a rule and generally went in and got themselves set up and registered to do MFA, and then we ran a couple of webinars, just walking them through what is it on top of the email and the comms and a SharePoint intranet page on it and why we were doing it, understanding of why and being secure, and all the various factors of understanding. Then those seminars, they weren't hands-on lessons or anything because it's not that complicated a feature ultimately to light up. So yeah, a couple of seminars showing them the step by step and reiterating the messages of why most people were pretty good. I think we're very used to it. We're doing our banking now with MFA. So we explained it like that. Do you know how you when you go in, you do your banking, it kicks you off on your mobile phone, or you're going into any one of these other type of applications, whatever you used to doing this already. So I think you find it's not as difficult as it seems. So yeah. So I would take this. I know this is a whole, I'm outnumbered by M365 MVPs here and folks who love everything office. But two-factor is different for different things. One of the things that he mentions in the question is he doesn't even call out office as the actual two FA, right? And he's asking about will two FA work for all of their apps. It's a per app thing unless they use a simple central SAML provider like Octa, okay? So Octa passes that two FA information onto the application, but that's a central point, right? Other, go ahead Christian, you're going to say something. I was just going to say that in some Gmail acts as that centralized location for some apps, depending on where you've enabled those profiles. Correct. So what I'm getting at though is there's no one answer for this, right? Because I mean you could have apps that you have MFA and you have apps that don't have MFA or you have apps that support a specific type kind of two-factor and others that only support one kind of two-factor. So you have to come up with a common thread, right? Because you want to use a, for you two-factor, is it going to be a phone-based app? Is it going to be a text message? Is it going to be a security questions? What is your second factor of authentication? And again, other apps may not recognize those, right? So that's why they make things like Octa to do that front end for you and give you a nice front end and they do all the back end dirty work, so. So if you make a change within that you require for Microsoft 365 to have multi-factor authentication, then anything that ties to that profile when you're logging in will run through that process. Correct. So I've done that today, yeah, logged in. But to your point is like, so things that I use that are outside of that, the purview of that core system that I've used signing up directly with that application for my desktop or whatever will not be held to that, so there is no tie to it unless it's tied to that M365 profile. Well, and what you're seeing now is you're seeing a lot of sites because Microsoft, Google, Facebook, LinkedIn, they've opened up their APIs for authentication. So now you can go into like different websites and you can select which authentication provider you want to use or use your own email address, right? But they opened up the API so you can do that. Then you've kind of got a centralized 2FA authentication. The problem is that, again, that's dependent on the app and it's only really SaaS apps that offer that, right? So you have, finance might have these apps from the 1990s that just don't do, they don't even know what multi-factor means. It's not even spelled out a language. So those are all things you have to look at it. We have no idea from his question, I mean, what we're dealing with. So it could be a lot of things. And I know about you, Christian, but I've got so many organizations on my mobile that I'll be working with. And some of them have, I've got one at the moment that's literally just about bricked my mobile. I cannot do anything, anything outside of, like I can't get something from my own personal mail over to my own personal one note, because they've got restrictions and they do that take control of your mobile phone and only one can do it at a time. And with all that multi-factor authentication. And they're trying to log in every day, they're not doing the once a week, it's every day you have to put in the full password and it can't be remembered. And it's like sometimes it can be really overwhelming for an end user. So on some of that, can you remember or not? Well, it comes down to how hard you go, because everything can be so very layered when it comes to MFA. Well, so, you know, I've become a big fan of, for that reason, that complexity of using the Authenticator app to be able to hand it so that it's so it's code-driven. So log in there, I go in there, because I mean, I worked in secure environments. It is using the Authenticator app, but it's hush, hush, hush, hush, hush, hush. Yeah, and I get that, but like I remember back in my data center days, carrying around the little key fob that had, you know, the password generator and the code to get in there, like all that stuff. Yeah, yeah. Yeah, yeah. So, just dating ourselves here. I know. But yeah, so that was in the early 90s. Not that far from- And a solution to that. Not far from, not far from the app you use today. Microsoft Authenticator gives you six digits. Exactly. And that's the same thing as a little RSA key would give you, you know, that little token thing. So it's not far from that. Not far. I want to think, oh, let's go ahead, Norm. Yeah. I was gonna say, the overarching thing about all of this, if David is happening to be watching this video is that you're getting two very extremes of the response. Mike has gone down to say, you know, it can be very technical, it's going to depend, and you're gonna have to invest a lot of work for your particular scenario. Christie and Christie and Christian have also talked about the effect on the user side. You're gonna have to put in just as much time with change management, adoption, getting your users ready for MFA and all of those implications than you are on the technical side. And that should not be underestimated. Yeah. You know, we're talking about those password generator key fobby things that Christian was talking about, you know, like you're gonna have all these sundry issues that show up, like people not wanting to use their own devices if they don't have a corporate one or, you know, afraid of the big brother aspect of all of it, and people are gonna forget. It's so easy for us as, you know, IT people to underestimate how big of an impact something like this is. But I want to give you an example as I ran across not too long ago is a very small company to 210 years, 220 some employees, 200 employees, they were implementing two factor, right? Across the board, but they were implementing the Windows Hello because they didn't have any Macs or an all Windows shop and they were using Windows Hello. They actually had employees that would not enroll in the Windows Hello because they didn't want, they didn't want their biometrics collected and they actually didn't have to do it. The company backed off because the employees said they were gonna, you know, sue the company and all this other kind of stuff. But they didn't want their piece. You have got that exact thing at the moment, Mike. They didn't want all that. I was just gonna- We helped them to, sorry, Christian, we helped them explain on that one, Mike, just recently that it's really, they're not actually doing full face. It's just pinpoints on the face. It's held in the chip on the laptop. We're trying to exchange piece right now that it's not actually, and it's left only to the computer. Microsoft doesn't have it. The organization doesn't have it. If your PC dies, you gotta do it all over again. And it's yours effectively. Kirsty, you bought right into the big government lines. How they catch how they mail you in. That big, no, but- Can I- But you know what it is, we're talking about end users and they do panic and same with Mike said and they don't wanna do it or they don't want the authenticator app on their mobile. But then they wanna use their email, but then if they can't remember and it's the email they're trying to get into and they're trying to do multi-factor authentication, then they've got no other ways. So something on that point though is just, you have to remember when you're talking about your company, it's like, it's not your system. It's the company's system. If you wanna work- And there are security risks that are getting increasingly important every day. Like fishing is off the hook. It's just so prevalent now. And all of these risks that are out there and that it needs to be locked down. And not to pile more on David, but that, if you're concerned that people aren't gonna remember their passwords, I'll wager that your organization has a very unhealthy password system and that you should be reinforced renewal of passwords a minimum of every 90 days. That's just the reality that we're in. No, that doesn't work because then they gotta change the post-it note that's sitting on their monitor because you have to cross-hatch those ones. That's right. Pleasure and stationary fun for that. It's in notepad. It's not physically, come on. We're not animals here. It's written in notepad on a file that's on the digital desktop. It's underneath the keyboard. They hide it. They like to keep your house. That's right. I know it's a good look there. Yeah, they'll never look at a keyboard. But that is a user behavior. And these are all things that I regularly have to talk to them about. And then even just pen recently, you can do the quick, easy pen on a surface. And then they've gone, no, but we wanna actually include one uppercase or lowercase alphabet. And I'm going, but then you've no longer got a pen. So the moment you do that, you open it up. Just they're just gonna do exactly the same password as their PC to remember it because to have a password and then a pen that's like a password, you're better off to have a four or a six digit. It's proven that it's more secure than two. That's why I stick with my home system. It's pretty secure. I have Windows Hello. I have the pen. And then it accepts either blood or urine samples. So it's good. I regularly bleed from my work and from Microsoft. Look, but yeah, multi-factor is not easy. And as you said, Mike, there's so many ways and so many things and it can stop you from doing or single sign on and having to do it again and again and again. And if they're doing it again and again, they're gonna remember their password. There is that, but... Remember your password, people. Remember your password.