This guide explains the ten essential Microsoft 365 security controls we recommend for charities to reduce cyber risk, improve governance and strengthen long-term resilience

Control 1 of 10 Next Control >

Overview

Multi-Factor Authentication (MFA) adds an extra layer of security by requiring users to verify their identity using a second factor, such as the Microsoft Authenticator app.

Why it matters

Multi-Factor Authentication (MFA) adds an extra layer of security by requiring users to verify their identity using a second factor, such as the Microsoft Authenticator app.

Common mistakes

Multi-Factor Authentication (MFA) adds an extra layer of security by requiring users to verify their identity using a second factor, such as the Microsoft Authenticator app.

Bunker's Recommended Approach

Multi-Factor Authentication (MFA) adds an extra layer of security by requiring users to verify their identity using a second factor, such as the Microsoft Authenticator app.

How We Helped a leading UK Charity

During a recent Microsoft 365 security review for a UK charity with over 100 staff, we discovered that several privileged accounts were not protected with Multi-Factor Authentication. Working with the charity, we:

✔ Enabled MFA for all administrator accounts.

✔ Removed legacy authentication methods.

✔ Reviewed Conditional Access policies.

✔ Increased their Microsoft Secure Score as part of a wider security improvement programme.

Rather than simply enabling MFA, we ensured the controls aligned with the charity’s governance requirements and long-term cyber security strategy.

MFA is one of the simplest and most effective Microsoft 365 security controls a charity can implement, yet many organisations still haven't enabled it for every user.

Ready to review your Microsoft 365 security?

Whether you're preparing for Cyber Essentials, reviewing your current IT provider or simply want to understand your Microsoft 365 security posture, we'll help you identify practical improvements that reduce risk and support your organisation's goals.

FAQ – Multi-Factor Authentication (MFA) for UK Charities

Is Multi-Factor Authentication essential for UK charities?

Yes. Charities store sensitive information including donor records, beneficiary information, financial data and employee details. Enabling MFA is one of the most effective ways to reduce the risk of account compromise and is considered a fundamental security control for organisations of all sizes.

Does Microsoft 365 include Multi-Factor Authentication?

Yes. Microsoft includes MFA with most Microsoft 365 business subscriptions, although the available features depend on your licence. More advanced capabilities, such as risk-based authentication and Conditional Access, require Microsoft Entra ID P1 or Microsoft 365 Business Premium

Should every charity user have MFA enabled?

In almost every case, yes. MFA should be enabled for all users, including staff, volunteers and especially administrator accounts. Administrator accounts are frequently targeted by cyber criminals because they provide access to the organisation’s entire Microsoft 365 environment.

What is the best way to implement MFA?

We recommend using the Microsoft Authenticator app rather than SMS text messages wherever possible. The Authenticator app provides stronger protection against modern attacks and offers a better user experience. MFA should also be combined with Conditional Access policies to provide even greater protection.

How can Bunker help improve our Microsoft 365 security?

Bunker helps UK charities review their Microsoft 365 security configuration, implement Multi-Factor Authentication, configure Conditional Access policies and strengthen overall cyber security. Our Microsoft 365 Security Reviews identify practical improvements that reduce organisational risk while supporting your charity’s operational needs.

Can volunteers use Multi-Factor Authentication?

Yes. Volunteers should use MFA in the same way as permanent staff if they access Microsoft 365. Protecting every account helps prevent unauthorised access and ensures your charity’s information remains secure, regardless of whether the user is an employee, volunteer or trustee.

Bunker Technical Solutions Cyber Security Team | Last reviewed: July 2026

Control 1 of 10 Conditional Access for UK Charities >
Logo
Helping you Build Secure, Future-Ready Technology

If you're reviewing your current MSP, concerned with cyber security or preparing your organisation for AI.