MFA that
users don't sabotage.
Most failed MFA rollouts fail on user experience, not technology. We design the conditional access policies, app integrations, and recovery flows so the security is real and the friction is invisible. Microsoft 365 identity, Duo, or Okta.
Everything you need, none of the upsell.
Real deliverables, with the boundaries written down. So you know what you're paying for and what counts as extra.
Smart prompts, not constant prompts.
MFA where it matters: new device, new location, risk score elevated. Skip it where it doesn't add risk.
Single sign-on done right.
Microsoft 365, Google, AWS, and your SaaS stack federated. One login, one MFA, fewer phished passwords.
Lockouts don't kill productivity.
Documented and tested account recovery. Help-desk-driven reset with identity verification, not a vibes check.
Quarterly review.
Stale accounts, over-privileged identities, orphaned service principals. Reviewed and pruned every quarter.
The order we work in.
A clear sequence so you can budget time, money, and risk against the work.
Assess.
Current identity posture, MFA coverage, conditional access policies, and app federation. Documented before changes.
Design.
Policy set tuned to your risk and your users. Phased rollout so day one isn't a disaster.
Deploy.
Phased enrolment with self-service registration, recovery testing, and exec support.
Operate.
Continuous monitoring of sign-in risk, identity protection alerts, and quarterly hygiene review.
Get a quote on mfa & identity.
Tell us a bit about your environment and we'll come back with a scoped proposal in two business days. No obligation, no pressure.
Request a Quote Back to CybersecurityIdentity is the perimeter. MFA is the lock on the door.
The majority of successful cyberattacks against Canadian SMBs start with a compromised credential. A staff member's password is guessed, phished, or purchased from a dark web dump, and the attacker logs in with a valid username and password. If MFA (multi-factor authentication) is not enforced, that is all it takes to get into your Microsoft 365 tenant, your email, your SharePoint files, and potentially your line-of-business applications. Identity management is the practice of ensuring that only the right people can access the right systems, and that you know what is happening when they do.
Most failed MFA rollouts fail on user experience, not technology. Staff find workarounds, disable their authenticator app, or convince IT to add exceptions for specific accounts. The result is a partially implemented MFA policy that provides false confidence. North Star designs MFA deployments with the user experience in front: we configure Conditional Access policies so that MFA prompts appear at the right time (risky sign-ins, new devices, sensitive applications) without interrupting routine work on trusted devices. We use Microsoft Authenticator with number matching and phishing-resistant FIDO2 keys for accounts that warrant it, and we design recovery flows so that a lost phone does not lock a staff member out permanently.
- MFA deployment: Microsoft Authenticator with number matching enforced for all Microsoft 365 accounts. Phishing-resistant FIDO2 keys for privileged admin accounts.
- Conditional Access policy design: risk-based MFA prompts, compliant device requirements, geographic and IP-based restrictions, and legacy authentication blocking.
- Identity hygiene review: audit of all user accounts, admin accounts, service accounts, and shared mailboxes. Identifies inactive accounts, overprivileged accounts, and accounts without MFA.
- Privileged access management: just-in-time admin access using Entra ID Privileged Identity Management (PIM). Global admin rights are not permanently assigned.
- Risky sign-in monitoring: Entra ID Identity Protection configured to flag and block sign-ins from unfamiliar locations, anonymizing proxies, and known malicious IP ranges.
- Recovery flow design: documented process for account recovery when a staff member loses their authenticator. Secure enough to resist social engineering, practical enough not to create a week-long IT ticket.
- Guest access review: audit of external collaborator (guest) accounts in your M365 tenant. Removes stale guests and applies appropriate access controls.
- Ongoing monitoring: monthly review of sign-in logs and identity alerts. You receive a summary of flagged sign-ins and actions taken.
Any business with Microsoft 365 accounts and more than two staff.
If your business uses Microsoft 365 and MFA is not enforced on every account with a Conditional Access policy, you are at measurable risk. This applies to businesses of all sizes and industries. A Whitehorse retail business with five staff and a shared Microsoft 365 tenant is a target for credential stuffing attacks just as much as a larger firm, because attackers scan for vulnerable tenants at scale. A 40-person engineering firm in Prince George with a mix of remote and office staff needs MFA that works reliably on mobile devices, from job sites, and on managed laptops without becoming a daily source of IT tickets.
Businesses applying for or renewing cyber insurance in Canada will almost universally be asked whether MFA is enforced on all accounts and all remote access. The answer must be yes. Insurance carriers in Canada are increasingly requiring phishing-resistant MFA (FIDO2 or certificate-based) for admin accounts, not just SMS or email codes. North Star designs to the standard that insurers actually require, not a bare minimum that may not satisfy the questionnaire at renewal time.
Organizations subject to privacy legislation under BC PIPA, AB PIPA, or PIPEDA are required to implement reasonable security safeguards. Enforced MFA on all accounts is baseline. A regulatory body or privacy commissioner reviewing an incident involving a compromised Microsoft 365 account will ask whether MFA was enforced. If the answer is no, the organization faces regulatory exposure in addition to the operational and reputational damage of the breach.
Project fee for deployment, optional ongoing monitoring.
MFA and identity management deployment is typically a project-based engagement: we design the Conditional Access policies, deploy and configure MFA for all users, run a training session for staff, and deliver a written summary of the configuration. Ongoing monitoring (monthly sign-in log review, quarterly access review) can be added as a retainer or bundled into a managed IT services plan. Microsoft 365 Business Premium or Entra ID P1/P2 licensing is required for Conditional Access; we can assess your current licensing and recommend the appropriate tier as part of the engagement.
What clients ask before starting.
We have MFA turned on already. Is that enough?
MFA enabled by default in Microsoft 365 (Security Defaults) is better than nothing, but it is not the same as a properly configured Conditional Access policy. Security Defaults blocks legacy authentication and requires MFA, but it does not allow risk-based policies, device compliance requirements, or the granular exceptions that organizations need for service accounts and guest users. We frequently find that Security Defaults is bypassed by legacy protocols that were excluded, or that staff have MFA on their personal accounts but admin accounts were grandfathered in without it.
What if a staff member loses their phone?
We design recovery flows during deployment. The standard North Star process requires the staff member to call IT from a known number, verify identity with information that is not publicly available, and have the recovery processed by an authorized IT contact. The recovery is logged. We do not configure SMS-based recovery codes because phone number spoofing makes them a social engineering risk. FIDO2 hardware keys are recommended as backup authenticators for staff who travel frequently or are in high-risk roles.
Do you support Duo or Okta instead of Microsoft Authenticator?
Yes. If you have Duo or Okta already deployed, we can integrate those with Microsoft 365 and configure Conditional Access to rely on them. For businesses starting from scratch, Microsoft Authenticator with Microsoft's native Conditional Access is the most cost-effective option if you are already on Microsoft 365 Business Premium or have Entra ID P1 licensing. Duo is appropriate if you have a heterogeneous environment with non-Microsoft applications that need centralized MFA.
Will MFA break our line-of-business applications?
Some older line-of-business applications that connect to Microsoft 365 using basic authentication will break when legacy authentication is blocked. We identify these during the planning phase, before any Conditional Access policy goes live. For applications that require it, we configure service accounts with modern authentication or certificate-based authentication. We do not block legacy authentication and discover the impact afterward; we test it in a pilot group first and address issues before rolling out to all users.
MFA that works for your staff, not just on paper.
North Star is based in Prince George and serves BC, Alberta, and the Yukon. We design MFA deployments around the actual user experience of your staff: field workers on mobile devices in the Peace Region, remote staff in Whitehorse logging in over Starlink, office staff switching between shared workstations. The technical configuration is only part of the work. We also run a staff communication and training session so that the rollout does not generate a flood of IT tickets on day one. The goal is MFA that actually gets used, not MFA that gets disabled because it is too frustrating to live with.