Short answer
Conditional access ("require MFA unless trusted location") used to pass v3.2. Under v3.3, always-on MFA is the safer answer. Conditional access can pass if the trust policy is strict, but many assessors now require MFA on every sign-in.
Why this matters
MFA is one of the clearest pass/fail areas under Cyber Essentials v3.3. The important question is not whether the organisation owns an MFA product, but whether every account that can access organisational data is covered in practice.
Assessors look for consistent enforcement across email, cloud services, admin accounts, remote access, and line-of-business systems. Exceptions should be rare, documented, isolated, and technically justified. Admin accounts should use the strongest available factor, ideally phishing-resistant MFA.
What to check next
- Check every user account, not just staff with Microsoft 365 licences.
- Disable legacy authentication paths that cannot support MFA.
- Separate day-to-day and administrator accounts and protect both with MFA.
Official sources and related Fig guidance
For scheme-level confirmation, use the official NCSC and IASME resources rather than relying on a supplier claim alone. Fig Group links to these sources because Cyber Essentials buyers should be able to verify the scheme, the administrator, and the certificate record independently.