Many organisations still think like this:
"We have multi-factor authentication in place, so user accounts are secure."
The idea is understandable, as MFA has been and still is one of the single most effective ways to protect user accounts. However, the threat landscape has changed and companies are required to have a better understanding of security.
The fact is that today, MFA alone no longer provides the level of security that is often expected.
In the past, an attacker's goal was simply to crack or steal a password.
Now the goal is different.
Today's attacks do not necessarily try to circumvent the MFA technically, but exploit the user himself. The attacker wants the user to log in as normal - but on behalf of the attacker.
A common example of this is the so-called Adversary-in-the-Middle attack. The user is redirected to a login page that looks genuine, enters their credentials and accepts the MFA request as usual. Most of the time, everything seems normal to the user, but the login session ends up in the hands of the attacker.
The multi-factor authentication worked technically exactly as it was supposed to, but it did not prevent the attack.
Another widespread phenomenon is the so-called MFA bombing. An attacker triggers login attempts repeatedly, resulting in constant requests for approval to the user's phone.
Eventually, the user will either:
As a reader, you may feel that no one would really fall for such an obvious scam. In reality, such a mistake can happen to a user in a hurry, when tired, or just by accident.
You yourself may, for example, have sometimes just "acknowledged a notification" from your phone in the middle of a meeting. Unfortunately, for the less alert user, an MFA alert may be just one distraction among others.
Even in this case, the MFA is not "broken". The problem is that the system does not understand the context and the user does not always stop to think about why the request came at that particular moment.
When people say "MFA alone is not enough", it is sometimes misinterpreted. It is not that the MFA is unnecessary or outdated.
On the contrary, MFA is still a very viable cornerstone for protecting user logins - even though other methods, such as passkey, have become more common.
The problem arises if:
Modern identity attacks do not stop at a single layer of protection. Therefore, defences should not be based on a single attribute either.
If the goal is a truly protected Microsoft 365 environment, MFA is only the starting point. Around it, you need an entity that lives and reacts.
In practice this means, for example:
Continuous monitoring
Suspiciouslogins, anomalous changes and risk signals are detected while they can still be reacted to.
Understanding the context
Not all anomalies are threats. The key is to distinguish normal activity from genuine risk.
Clear policies
When something happens, it should be clear what to do next - without everyone having to be a security expert.
The big picture
A single alert doesn't tell you much. It's only by combining multiple signals that you can see what's really going on in the environment.
Microsoft 365 is the most business-critical platform for many organisations: email, files, Teams conversations and management rights all go through the same identity.
This makes user accounts an attractive target for attackers, but at the same time it also offers the potential for better protection if the environment is actively monitored. By looking at login credentials, anomalous signals and user behaviour as a whole, threats can be identified before they can cause damage.
This is where continuous monitoring and contextual understanding come into play: they turn individual events into a controlled whole, supporting both security and business continuity.
In many organisations, identity-related anomalies are only discovered after the fact - if at all.
One reason for this is that logins are often viewed as individual events, rather than as part of a broader behavioural picture. A single successful login may not attract attention, even if it is preceded by an unusual location, a new device or an unusual time.
With MFA in place, it is easy to assume that all logins that are accepted are also correct. This mindset leaves room for the attacker to operate in peace.
Without constant monitoring, an attack can continue for days or weeks before the first clear signs appear. This is precisely why identity security is not just about blocking logins, but about understanding what kind of logins are involved and reacting in time when something no longer looks normal.
MFA remains an important and necessary part of identity security, but on its own it can give a false sense of security.
Real protection only comes from continuous monitoring of authentication, users and the environment as a whole, and from the ability to react in a timely manner to identified risks.
Security in an M365 environment is not a single setting or feature. It is an ongoing process.