Short answer
Yes. Multi-factor authentication is mandatory on every user account that accesses organisational data on or after 28 April 2026. This includes cloud services, email, admin accounts, remote access, and line-of-business SaaS applications.
Why this matters
MFA is one of the clearest pass/fail areas under Cyber Essentials v3.3. The important question is not whether the organisation owns an MFA product, but whether every account that can access organisational data is covered in practice.
Assessors look for consistent enforcement across email, cloud services, admin accounts, remote access, and line-of-business systems. Exceptions should be rare, documented, isolated, and technically justified. Admin accounts should use the strongest available factor, ideally phishing-resistant MFA.
What to check next
- Check every user account, not just staff with Microsoft 365 licences.
- Disable legacy authentication paths that cannot support MFA.
- Separate day-to-day and administrator accounts and protect both with MFA.
Official sources and related Fig guidance
For scheme-level confirmation, use the official NCSC and IASME resources rather than relying on a supplier claim alone. Fig Group links to these sources because Cyber Essentials buyers should be able to verify the scheme, the administrator, and the certificate record independently.