Short answer
Yes, especially. Admin and privileged accounts must use MFA and it is often the single most important control. Use a hardware key or FIDO2 factor for admins where possible.
Why this matters
MFA is one of the clearest pass/fail areas under Cyber Essentials v3.3. The important question is not whether the organisation owns an MFA product, but whether every account that can access organisational data is covered in practice.
Assessors look for consistent enforcement across email, cloud services, admin accounts, remote access, and line-of-business systems. Exceptions should be rare, documented, isolated, and technically justified. Admin accounts should use the strongest available factor, ideally phishing-resistant MFA.
What to check next
- Check every user account, not just staff with Microsoft 365 licences.
- Disable legacy authentication paths that cannot support MFA.
- Separate day-to-day and administrator accounts and protect both with MFA.
Official sources and related Fig guidance
For scheme-level confirmation, use the official NCSC and IASME resources rather than relying on a supplier claim alone. Fig Group links to these sources because Cyber Essentials buyers should be able to verify the scheme, the administrator, and the certificate record independently.