Short answer
No. Under v3.3, every user account with access to organisational data must use MFA. There is no tolerance for "most users have it" - the assessor checks every user. Service accounts that cannot use MFA must be documented and isolated.
Why this matters
MFA is one of the clearest pass/fail areas under Cyber Essentials v3.3. The important question is not whether the organisation owns an MFA product, but whether every account that can access organisational data is covered in practice.
Assessors look for consistent enforcement across email, cloud services, admin accounts, remote access, and line-of-business systems. Exceptions should be rare, documented, isolated, and technically justified. Admin accounts should use the strongest available factor, ideally phishing-resistant MFA.
What to check next
- Check every user account, not just staff with Microsoft 365 licences.
- Disable legacy authentication paths that cannot support MFA.
- Separate day-to-day and administrator accounts and protect both with MFA.
Official sources and related Fig guidance
For scheme-level confirmation, use the official NCSC and IASME resources rather than relying on a supplier claim alone. Fig Group links to these sources because Cyber Essentials buyers should be able to verify the scheme, the administrator, and the certificate record independently.