"We have MFA enabled" is not the same claim as "our MFA is actually protecting us," and the gap between those two statements is where most of the breaches we see in businesses that thought they were covered actually happen. Enabling MFA is the easy 80% of the work. The configuration details are the other 20% that determines whether it holds up against a real attack.
Legacy authentication is the most common gap
Older authentication protocols — used by some email clients, some line-of-business app integrations, and some scripted processes — don't support modern MFA prompts at all, and if they're not explicitly blocked, they provide a bypass path that attackers actively scan for. Blocking legacy authentication via Conditional Access is one of the single highest-impact changes we make in a Microsoft 365 security hardening engagement, and it's frequently still open in environments that consider their MFA setup complete.
Not all MFA methods are equal
SMS-based codes are better than nothing, but they're vulnerable to SIM-swapping and phishing pages that simply relay the code in real time. Push notifications with number matching are stronger. Phishing-resistant methods — FIDO2 security keys, passkeys — are the strongest available and worth deploying for admin accounts and anyone with access to sensitive systems, even if broader rollout takes longer.
Admin accounts need their own policy
Global admin and other privileged accounts deserve stricter Conditional Access than standard users — shorter session lifetimes, mandatory phishing-resistant MFA, and in most cases, no standing admin access at all in favor of just-in-time privilege elevation. An attacker who compromises a standard user account is a contained problem; an attacker who compromises an unprotected admin account is a full incident. The configuration difference between those two outcomes is a policy setting, not a purchase.