Does MFA need to be enforced for every user?

It must be enforced for accounts that access cloud services in scope, and especially for all administrators. Check the latest Cyber Essentials requirements with your assessor.

Are SMS codes acceptable?

Cyber Essentials accepts several MFA methods. App-based or hardware token MFA is generally preferred. Confirm acceptable methods with your assessor.

What if a SaaS tool doesn't support MFA?

Document the limitation, the compensating controls in place, and a plan to migrate or restrict that tool.

Evidence area

Cyber Essentials MFA evidence

Cyber Essentials requires multi-factor authentication on cloud services, especially for administrator accounts. Evidence needs to show MFA is enforced — not just available.

Start free See features

Why MFA evidence is often incomplete

Most SMEs have MFA switched on for some users, but lack a clean export showing every admin and every cloud service. Assessors regularly ask for evidence that admin accounts in Microsoft 365, Google Workspace and other SaaS tools are MFA-enforced — not optional.

Examples of MFA evidence

Microsoft 365 MFA status export or screenshot
Google Workspace 2-Step Verification enforcement screenshot
Admin account list with MFA status per user
Conditional access policy summary
Screenshots of MFA enforced on accounting, CRM and other cloud apps
Note explaining any service that cannot support MFA and the compensating control

How Evaud helps

MFA evidence linked to admins

Link each MFA export to the admin accounts or SaaS systems in your asset register.

Status tracking

Mark MFA evidence as approved or expired so you know what to refresh before renewal.

Comments from your assessor

Assessors can leave comments directly on the evidence item if something looks off.

Frequently asked questions

Start building your Cyber Essentials evidence today.

Free to try. No credit card required.

Start free Contact us