Back to Blog
Cybersecurity

MFA and Conditional Access for MSPs: The Compliance Baseline That Covers HIPAA, SOC 2, and Cyber Insurance

Stolen credentials drive the majority of breaches — and MFA is now required by HIPAA, SOC 2, PCI DSS, and every major cyber insurance carrier. This guide covers what each framework actually mandates, what conditional access adds beyond a simple toggle, and how to package it as a recurring MSP service.

BC
Brett Coffin
Updated July 20268 min read

MFA and Conditional Access for MSPs: The Compliance Baseline That Covers HIPAA, SOC 2, and Cyber Insurance

TLDR: Stolen credentials are behind the majority of breaches, and every compliance framework your clients operate under now requires MFA — including cyber insurance carriers as a coverage condition. This guide covers what each major framework actually mandates, why "just enabling MFA" isn't enough, how to deploy conditional access at scale across your client base, and how to package it as a recurring, auditable service.


Stolen credentials are behind more successful attacks than any other initial access method. The Verizon 2025 Data Breach Investigations Report found that 88% of attacks targeting web applications involved stolen or compromised credentials ([Verizon DBIR, 2025](https://www.verizon.com/business/resources/reports/dbir/)).

Multi-factor authentication directly blocks this attack path. Microsoft's security research found that MFA blocks 99.9% of account compromise attacks — even when the attacker already has a valid password ([Microsoft Security Blog, 2019](https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/)). It is the single highest-leverage security control available for most SMB clients.

What changed in 2026 is that MFA is no longer just a best practice — it's now a mandatory requirement across every compliance framework your clients operate under, and a prerequisite for cyber insurance coverage.

What Every Major Framework Now Requires

Here's where each framework stands on MFA and access controls:

HIPAA (2026 Proposed Security Rule Amendments)

The proposed 2026 Security Rule overhaul would make MFA mandatory for all workforce members accessing systems that contain, transmit, or store electronic protected health information (ePHI) — with no addressable exceptions. Under the current rule, MFA is an "addressable" specification, meaning organizations can document an equivalent alternative. The proposed amendments remove that carve-out entirely.

The rule had not been finalized as of this writing, but the direction is clear and healthcare-focused MSPs should be helping clients prepare now rather than waiting for a compliance deadline. For a full breakdown of what's changing, see our post on the 2026 HIPAA Security Rule overhaul and what MSPs must do.

SOC 2 (Trust Services Criteria)

SOC 2 doesn't name MFA explicitly in its criteria text, but it's the de facto baseline in every real-world audit. Criteria CC6.1 (restricting logical access to authorized users), CC6.3 (controlling access from outside the system boundary), and CC6.6 (security of data in transmission) are all evaluated in ways that treat single-factor authentication as an automatic finding. Every SOC 2 auditor treats MFA on all user accounts — especially for remote access — as the minimum acceptable control.

PCI DSS v4.0 (Requirement 8)

PCI DSS is the most explicit. Requirement 8.4.2 mandates MFA for all access into the cardholder data environment. Requirement 8.4.3 extends it to all remote network access originating from outside the entity's network. There are no legacy exceptions — if a system can't support MFA, it must be isolated or replaced.

NIST CSF 2.0 and CIS Controls v8

Both frameworks treat MFA as an expected baseline in their Identity and Access Management categories. NIST CSF 2.0's PR.AA (Protect: Identity Management, Authentication, and Access Control) function calls for MFA on privileged and user accounts. CIS Controls v8 Safeguard 6.3 (Require MFA for externally-exposed applications) and 6.5 (Require MFA for administrative access) are Implementation Group 1 and 2 controls — expected even for organizations with limited cybersecurity resources.

Cyber Insurance

Every major carrier now treats MFA as a coverage condition. Applications from Coalition, Chubb, Beazley, and others include explicit questions about whether MFA is enforced on email, VPN/remote access, cloud admin consoles, and privileged accounts. Applications showing gaps in these areas face higher premiums, reduced coverage limits, or denial. For a checklist of what carriers typically require, see the cyber insurance compliance guide for MSPs.

MFA vs. Conditional Access: Why a Simple Toggle Isn't Enough

Many MSPs implement MFA by enabling it in Azure AD (now Microsoft Entra ID) or Google Workspace and moving on. That's the starting point — but it's not what auditors and carriers mean when they ask about access controls.

Conditional Access means MFA is enforced by policy based on context, not just triggered at initial login:

  • **Device compliance gating:** Sign-ins from unmanaged or non-compliant devices trigger a step-up MFA challenge
  • **Location and risk signals:** Unfamiliar locations, impossible travel, or anomalous token behavior require re-authentication
  • **Application sensitivity tiers:** Admin portals and apps touching PHI or PCI data require MFA regardless of device trust state
  • **Legacy authentication blocking:** SMTP Auth, IMAP, POP3, and basic auth — which cannot support MFA — are blocked entirely at the tenant level

Without Conditional Access policies, a client with "MFA enabled" can still be compromised through adversary-in-the-middle (AiTM) phishing kits that capture session tokens after the MFA prompt, or through a compromised managed device. Modern Conditional Access policies with token binding and session lifetime controls close these gaps. Cyber insurance applications and SOC 2 auditors are increasingly asking about Conditional Access policies specifically — not just whether MFA is enabled.

Deploying MFA Across a Multi-Client Portfolio

The challenge for MSPs isn't understanding MFA — it's rolling it out consistently across 10, 20, or 50 clients without turning it into an ongoing support escalation. A practical phased approach:

Phase 1: Baseline Assessment

Before deploying anything, establish where each client stands. How many accounts have MFA enrolled? Which accounts are excluded? Which sign-in scenarios are covered? For M365 clients, this means pulling per-user MFA status from Entra ID. Nuronus's MSP security assessment capability connects to M365 and Google Workspace via read-only OAuth to pull enrollment and Conditional Access data automatically across your entire client portfolio — giving you a baseline across all clients in a fraction of the time required by manual PowerShell queries.

Phase 2: Privileged Accounts First

Global Admins, Exchange Admins, SharePoint Admins, and any account with write access to tenant configuration should be the first targets. These are also the accounts auditors and carriers check first. Enforce MFA and disable legacy authentication for these accounts before touching the general user population.

Phase 3: Conditional Access in Report-Only Mode

Create a Conditional Access policy that requires MFA for all users and blocks legacy authentication, but set it to Report-Only mode initially. Entra ID will log what *would* have been blocked without actually enforcing anything, letting you identify service accounts, shared mailboxes, and legacy app integrations that will break before you flip the switch.

Phase 4: Remediate Exceptions, Then Enforce

Work through the Report-Only log to document every exception. Either migrate them to modern authentication or create a documented exclusion with a business justification. Then switch the policy to Enforce.

Phase 5: Ongoing Evidence Collection

This is the step most MSPs skip entirely. Implementing MFA is not the same as maintaining documented, auditable compliance. You need current enrollment status, Conditional Access policy records, and sign-in logs showing MFA challenges are firing — and they need to stay current as accounts are added or changed over time.

The Evidence Problem: MFA Is Easy to Toggle, Hard to Prove

When a SOC 2 auditor or cyber insurance carrier requests MFA evidence, they're not asking whether it's enabled today. They want:

  • **Current enrollment rates** across all user accounts, including service accounts and shared mailboxes
  • **Conditional Access policy exports** showing which sign-in scenarios enforce MFA
  • **Sign-in logs** demonstrating MFA challenges are actually firing across the account base
  • **Legacy authentication status** — confirmation that SMTP Auth, IMAP, and POP3 are disabled at the tenant level
  • **Exception documentation** — a list of accounts excluded from MFA with documented business justifications

Pulling and maintaining this evidence manually across dozens of clients is either inconsistent or consumes significant technician time before every audit. This is precisely where Nuronus automates the workflow: identity and access data pulled continuously from each client tenant, mapped to the relevant controls in every applicable compliance framework, available as a white-label report whenever an auditor or carrier asks.

Packaging MFA Compliance as a Recurring Service

From a business standpoint, MFA deployment is a one-time project — but MFA *compliance* is an ongoing service, and the distinction matters for how you bill it:

  • **Monthly:** Automated monitoring of MFA enrollment across all user accounts. Alerts when new users are onboarded without MFA enrollment or when existing accounts lose enrollment status. Included in your baseline compliance monitoring package.
  • **Quarterly:** MFA and access control section in your QBR compliance report — current enrollment rate, Conditional Access policy coverage, exception list with documentation. See [5 compliance reports every MSP should deliver at QBRs](/blog/5-compliance-reports-every-msp-should-deliver-at-qbrs) for the full reporting framework.
  • **Annual/At Renewal:** Cyber insurance evidence package — enrollment snapshot, Conditional Access policy export, sign-in log summary, exception log with justifications. Delivered as part of your insurance readiness service ahead of each policy renewal.

The billing framing isn't "we make sure MFA is on." It's: "We maintain your access control compliance posture and deliver the evidence your auditors and insurers require — so you're never scrambling to pull documentation under deadline pressure."

When clients understand that the alternative is manually assembling this evidence themselves every year before an audit or policy renewal, the ongoing fee becomes straightforward to justify.


*Ready to pull your clients' MFA enrollment and Conditional Access posture automatically — across all tenants, all frameworks, in one multi-tenant dashboard? Start free with Nuronus — 2 clients, no credit card required. Or explore how to package identity security monitoring as a recurring compliance service for MSPs.*

Ready to Add Compliance Services to Your MSP?

Free forever for 2 clients. All features included. No credit card required.

Get Started Free
BC

Brett Coffin

Founder, Nuronus

20+ years in IT infrastructure and security. Built Nuronus after watching MSPs leave compliance revenue on the table because the tooling made it impossible to deliver profitably.