"We spent a good amount of time working with the customer and agreed a rollout plan to ensure multi-factor authentication (MFA) was enabled across the board in accordance with a security baseline," Colin told The Register.
A simple plan: Secure Score and MFA for Microsoft 365
The engagement began as a routine security hardening exercise: the customer wanted to chase Microsoft's Secure Score for its Microsoft 365 tenancy, and Colin's team agreed a phased rollout to enable multi‑factor authentication (MFA) "across the board" in line with a security baseline. According to Colin, the upgrades were applied and, at first, "all went smoothly." The objective was straightforward: improve resilience by turning on MFA for users in the tenant.
The morning after: a senior director's call and an instant rollback
The calm lasted until the following morning, when "one of the senior directors of the company – who was allegedly the COO of a cybersecurity company – called our service desk and started yelling." The director told support that the organization had been "brought to its knees" by the requirement to register for MFA, asserting that invoicing systems were crippled and that ruin would soon follow. After a brief investigation and explanation from support, the director ordered an immediate rollback of the MFA changes — a rollback that Colin reported "remains in place." The result, by Colin's account, was the removal of MFA and consequently "worse security."
The technical cause: buggy invoicing software and three or four phones
Colin and his colleagues probed the incident and found the outage was much narrower than the director portrayed: it "only impacted three or four phones." The actual fault lay with the invoicing software, which claimed to support MFA but relied on buggy components to implement it. In short, the software's promised compatibility with MFA failed in practice for a small set of devices, producing localized disruption rather than an enterprise‑wide outage.
Operational friction: demands, accusations and support strain
The rollback and the director's response were not isolated examples of strained decision‑making. Colin described a pattern of "nonsensical requests" from the same client executive, such as insisting that a particular engineer "who cannot drive" visit a remote site immediately to fix a printer. On another occasion the director attributed a separate systems incident to Colin's Microsoft 365 work, claiming it "caused a power outage." Taken together, these episodes illustrate a level of operational friction that complicated the security team's efforts to complete a planned modernization.
What this means for technologists, enterprise leaders, and end users
- Technologists and security teams: Expect pushback even when changes follow a documented baseline. Colin's team completed a planned MFA rollout only to have it reversed after narrow, third‑party software failures manifested; teams will need fast diagnostics and clear, on‑the‑ground communication to prevent rollback decisions based on incomplete information.
- Enterprise leaders and procurement: Vendors' claims about MFA support can be functional but brittle. The invoicing package in this case "promised MFA support" yet relied on buggy software to make it happen; procurement and technical owners must validate vendor interoperability before enforcing organization‑wide controls that depend on third‑party components.
- End users and finance staff: Short‑term convenience wins may come at the cost of longer‑term exposure. The director's demand for an instant rollback left the tenant without MFA and — in Colin's words — "worse security," even though the outage was limited to "three or four phones."
Colin's account is a compact case study in how the interplay of third‑party software fragility, executive pressure, and operational communication can undermine an otherwise routine security improvement. A planned, baseline‑driven MFA rollout was reversed after a small, localized failure; the rollback remains in place, and the team is back where it started from a security posture standpoint. The record leaves one concrete question: when a single executive's urgency outweighs confirmed technical findings, who in the organization will be empowered to insist that measured remediation — such as a tested workaround or staged rollback — be tried before removing a foundational control like MFA?
Source: The Register — Security boss thought MFA would be too much security
