Passwords alone are no longer enough. With phishing attacks, credential stuffing and brute force attempts hitting businesses every day, relying on a password is a bit like locking your front door but leaving the window wide open.

That is where multi-factor authentication (MFA) comes in. And Microsoft Authenticator is one of the simplest, most reliable ways to get it set up across your organisation.

This guide covers everything business users need to know: what it is, how it works, how to use it day to day, what to do when things go wrong, and how to stay safe from a growing threat called MFA fatigue.

What Is Microsoft Authenticator?

Microsoft Authenticator is a free app for iOS and Android that adds a second layer of security to your Microsoft 365 account (and many other services). When you log in, you are not just asked for your password. You also have to prove it is really you by approving a notification or entering a short code from the app.

That second step is what makes it so effective. Even if someone gets hold of your password, they still cannot get into your account without your phone.

The numbers are stark: Microsoft’s own research shows that enabling MFA blocks more than 99.9% of automated account compromise attacks. For any business using Microsoft 365, enabling it is not optional. It is essential.

How Microsoft Authenticator Works

There are two main ways the app proves your identity:

• Push notifications: When you sign in, a notification pops up on your phone. It shows you the app you are signing into, your location and a two-digit number that matches what is shown on your screen. Tap Approve and you are in.
• One-time codes (TOTP): The app generates a six-digit code that refreshes every 30 seconds. You type this code into the sign-in screen. Useful when you do not have mobile data or if push notifications are unavailable.

Both methods are far more secure than SMS codes, which can be intercepted. The Authenticator app works offline and is tied to your specific device, making it much harder to spoof.

Setting It Up

Getting started takes about five minutes. The short version:

• Download the Microsoft Authenticator app from the App Store or Google Play
• Sign into your Microsoft 365 account at mysignins.microsoft.com/security-info
• Add a sign-in method and select Authenticator app
• Scan the QR code shown on screen
• Approve a test notification to confirm everything is working

For a full walkthrough with screenshots, see our step-by-step setup guide.

If you are rolling MFA out across a team, your IT admin can enforce it through Azure Active Directory Conditional Access policies, so users are prompted to set it up automatically on their next sign-in.

Using It Day to Day

Once it is set up, Microsoft Authenticator mostly stays out of the way. You will typically only see it when signing into a new device, after a period of inactivity, or when accessing something sensitive.

Here is what a normal sign-in looks like:

• Enter your email and password as usual
• A notification appears on your phone
• Check the two-digit number matches what is on your screen
• Tap Approve
• Done. You are in.

The whole thing takes about five seconds. Once you get used to it, it becomes second nature.

Managing Authenticator: New Phone and Backup Methods

The biggest gotcha with any authenticator app is: what happens when you get a new phone, lose your device, or it breaks?

The good news is Microsoft has thought about this.

• Cloud backup: Enable the backup option in the app settings. On Android this uses your Google account; on iOS it uses iCloud. If you get a new phone, you can restore your accounts during setup.
• Add a backup sign-in method: Go to mysignins.microsoft.com/security-info and add a secondary method, such as a backup phone number or email. This gives you a fallback if you cannot access the app.
• Temporary access pass: If your IT admin has enabled it, they can generate a short-term passcode that lets you sign in and re-register your new device without needing the old phone.

The biggest mistake people make is waiting until they are locked out to think about this. Set up your backup methods now, while you still have access.

Common Issues and How to Fix Them

• Notification did not arrive: Check your phone is connected to the internet and that notifications are enabled for the app. You can also use the one-time code as a fallback.
• Code says it is invalid: Make sure your phone’s clock is set to automatic time sync. TOTP codes are time-sensitive and drift of even 30 seconds can cause failures.
• App is not showing accounts: If you reinstalled the app without restoring from backup, you may need to re-add your accounts. Contact your IT admin if you are unable to sign in.
• Locked out completely: Your IT admin can reset your MFA registration in the Azure portal, or issue a Temporary Access Pass to get you back in.

MFA Fatigue: A Real and Growing Risk

There is one attack you need to know about: MFA fatigue, sometimes called MFA prompt bombing.

Here is how it works. An attacker has already obtained your password (perhaps from a data breach or phishing). They then attempt to sign in repeatedly, sending a flood of approval notifications to your phone. The hope is that you will eventually tap Approve out of frustration or confusion.

Several high-profile breaches have happened this way.

How to protect yourself:

• Never approve a notification you did not initiate. If a request appears and you are not actively signing in, deny it immediately.
• Check the number match. Microsoft now shows a two-digit code that must match between the app and the sign-in screen. This means you cannot accidentally approve a request from an attacker.
• Report unexpected requests. If you start receiving repeated sign-in requests you did not trigger, tell your IT team straight away. It likely means your password has been compromised and needs changing.

Why Businesses in Manchester and Beyond Need This Now

Cyber attacks on small and medium businesses are increasing every year. Ransomware, business email compromise and account takeovers are not just problems for large corporations. They hit local businesses hard, often with no warning.

Enabling Microsoft Authenticator across your team is one of the most cost-effective security steps you can take. It costs nothing (the app is free), takes minutes to set up, and stops the vast majority of automated attacks in their tracks.

Need Help Rolling It Out?

If you would like support setting up MFA across your business, migrating to Microsoft 365, or reviewing your overall cyber security posture, the team at Pro Business are here to help.

Get in touch at support@pro-business.co.uk or give us a call. We work with businesses across Manchester and the North West, and we will get you sorted without the jargon.

If your IT team or Microsoft has prompted you to set up multi-factor authentication (MFA), this guide will walk you through the whole process in plain English. It takes about five minutes and you will only need your phone and a computer.

What You Will Need

• Your smartphone (iPhone or Android)
• A computer or laptop signed into your Microsoft 365 account
• Your Microsoft 365 email address and password

Step 1: Download the Microsoft Authenticator App

On your phone, open the App Store (iPhone) or Google Play Store (Android) and search for Microsoft Authenticator. It is free and published by Microsoft Corporation. Download and install it.

Once installed, open the app. You will be shown a welcome screen. You do not need to do anything in the app just yet.

Step 2: Go to Your Microsoft Security Settings

On your computer, open a browser and go to:

mysignins.microsoft.com/security-info

Sign in with your work Microsoft 365 account if prompted. You will see a page called Security info showing your current sign-in methods.

Step 3: Add the Authenticator App

• Click Add sign-in method
• From the dropdown, choose Authenticator app
• Click Add
• Click Next on the screen that explains what the Authenticator app does
• On the next screen, click Next again. Microsoft will now show you a QR code on your screen.

Step 4: Scan the QR Code

Now switch to your phone:

• In the Microsoft Authenticator app, tap the + button (top right on iPhone, or the add icon on Android)
• Choose Work or school account
• Choose Scan a QR code
• Point your phone camera at the QR code on your computer screen

The app will scan it automatically and add your account. You will see your name and email address appear in the app.

Step 5: Allow Notifications

When prompted on your phone, allow the Microsoft Authenticator app to send you notifications. This is how it will notify you when you need to approve a sign-in. Without notifications enabled, the app will not be able to send you approval prompts.

On iPhone: tap Allow when iOS asks about notifications.

On Android: tap Allow when prompted.

Step 6: Approve the Test Notification

Back on your computer, click Next. Microsoft will send a test notification to your phone to confirm everything is working.

• A notification will appear on your phone
• It will show a two-digit number. Check that number matches what is shown on your computer screen
• Tap Yes or Approve on your phone

Your computer will confirm that the app is set up. Click Next and then Done. That is it. You are set up.

Using Microsoft Authenticator Day to Day

Once it is configured, here is what happens each time you sign in:

• Enter your email and password as normal
• A notification appears on your phone with a two-digit number
• Check the number matches what is on your screen
• Tap Approve
• You are signed in

If you do not have mobile data or the notification does not arrive, open the Authenticator app and use the six-digit code shown under your account. Type that code into the sign-in screen instead. The code refreshes every 30 seconds.

Getting a New Phone

Before you get a new phone, do two things:

• Enable cloud backup in the Authenticator app settings (Google account on Android, iCloud on iPhone)
• Add a backup sign-in method at mysignins.microsoft.com/security-info, such as an alternative phone number

When you set up your new phone, install the Authenticator app and restore from your backup. Your accounts will be transferred. If you get stuck, your IT admin can reset your MFA registration so you can start fresh.

Need Help?

If you ran into any problems during setup, or if your business needs help rolling out MFA across the whole team, the Pro Business team are here for you.

Drop us an email at support@pro-business.co.uk and we will get you sorted. We support businesses across Manchester and the North West with Microsoft 365, cyber security and IT support.

Updated for May 2026: Comprehensive security analysis of Microsoft Copilot deployment risks for UK businesses

Microsoft Copilot promises to revolutionise workplace productivity by integrating AI assistance directly into your Microsoft 365 environment. However, before rushing to deploy this technology, businesses must understand the complex security, privacy, and compliance implications that could expose your organisation to significant legal and operational risks.

This comprehensive guide examines the critical security considerations every business must address before enabling Copilot across their organisation.

Understanding Microsoft Copilot’s Data Access Model

Microsoft Copilot operates by accessing data throughout your Microsoft 365 environment using the same permissions as the signed-in user. This means Copilot can potentially access:

• All email communications – Including client correspondence, negotiations, and sensitive business discussions
• SharePoint and OneDrive files – Financial reports, contracts, strategic documents, and confidential client information
• Teams conversations – Meeting transcripts, chat history, and screen-shared content
• Calendar information – Meeting details, attendees, and confidential business scheduling
• OneNote contents – Personal notes, project details, and brainstorming sessions

The Four Primary Security and Legal Risks

1. Broad Content Access and Usage Rights

Microsoft’s Terms of Use for Copilot include provisions that may concern businesses:

“We don’t own Your Content, but we may use Your Content to operate Copilot and improve it… we can copy, distribute, transmit, publicly display, publicly perform, edit, translate, and reformat it, and we can give those same rights to others who work on our behalf.”

Business Impact: Your confidential data could potentially be used to improve Microsoft’s AI systems, raising questions about data ownership and competitive advantage protection.

2. Microsoft 365 Integration Overreach

Because Copilot inherits user permissions across the M365 environment, it can surface information that users technically have access to but shouldn’t routinely see. This creates several risks:

• Over-privileged access – Users may have broader SharePoint/Teams permissions than their role requires
• Accidental data discovery – Copilot might surface confidential information in responses to seemingly innocent queries
• Cross-departmental exposure – HR data, financial information, or legal documents could be accessed inappropriately

3. Third-Party Data Processing Risks

Microsoft’s ability to “give those same rights to others who work on our behalf” introduces potential risks around:

• Unnamed subprocessors gaining access to your business data
• International data transfers without explicit business consent
• Vendor security incidents affecting your confidential information
• Limited visibility into who actually processes your data

4. Irreversible AI Training Integration

Once data is used to “improve” Copilot’s AI models, it becomes integrated into the system in ways that may be impossible to reverse:

• Permanent data integration – Your confidential information cannot be “unlearned” from AI models
• Cross-contamination risk – Client data might influence responses to other users’ queries
• Long-term exposure – Information remains in the system indefinitely

UK GDPR and Data Protection Compliance Concerns

Microsoft Copilot’s data processing model raises several compliance questions under UK GDPR:

Article 6 – Lawful Basis for Processing

• Legitimate interest assessments required for AI processing of personal data
• Consent requirements where processing goes beyond reasonable expectations
• Documentation obligations for AI-related data processing purposes

Article 28 – Processor Agreements

• Data Processing Addendum (DPA) compliance with Microsoft’s AI processing
• Subprocessor notification for third-party AI training providers
• Security measure adequacy for AI-processed personal data

Data Subject Rights Challenges

• Right to erasure (Article 17) – Can personal data be removed from AI models?
• Right to rectification (Article 16) – How can inaccurate AI training data be corrected?
• Right of access (Article 15) – Can individuals access personal data used in AI training?

Data Controller Liability

Your organisation remains fully liable for GDPR compliance, including:

• Any breaches caused by AI processing of personal data
• Inadequate consent or lawful basis for AI operations
• Failure to implement appropriate technical and organisational measures
• Non-compliance with data subject rights requests

High-Risk Data Types – What Never to Process with Copilot

Until better controls are available, avoid using Copilot for processing:

Essential Pre-Deployment Security Checklist

Before enabling Microsoft Copilot, complete this comprehensive security assessment:

📋 Phase 1: Data and Access Audit

🔧 Phase 2: Technical Control Implementation

Data Loss Prevention (DLP) Configuration

• Sensitive Information Types – Configure rules for financial data, personal information, and confidential content
• Policy Actions – Block, warn, or restrict Copilot access to sensitive content
• Exception Handling – Define processes for legitimate business use cases
• Monitoring and Alerting – Set up notifications for policy violations

Microsoft Purview Sensitivity Labels

• Label Creation – Define confidential, restricted, and public classification levels
• Automatic Classification – Use content-based rules to apply labels
• Protection Actions – Encrypt and restrict access to sensitive content
• Copilot Integration – Configure label-based AI access controls

Conditional Access Policies

• User-Based Restrictions – Limit Copilot access to specific roles or groups
• Location Controls – Restrict AI access based on geographic location
• Device Compliance – Require managed devices for Copilot access
• Risk-Based Access – Implement adaptive controls based on user behavior

Tenant Isolation Strategy

• Data Segregation – Separate AI-safe and confidential data environments
• Service Boundaries – Implement logical separation between data types
• Access Controls – Restrict cross-environment data access
• Monitoring – Track data movement between environments

📚 Phase 3: Policy and Training Framework

AI Usage Policy Development

• Acceptable Use Guidelines – Define appropriate AI tool usage
• Data Classification Requirements – Mandatory content labeling procedures
• Incident Response Procedures – Process for handling AI-related data exposures
• Legal Review Requirements – When to involve legal counsel

Employee Training Program

• Data Protection Awareness – Understanding AI access implications
• Classification Training – How to identify and label sensitive content
• Safe Usage Practices – Best practices for AI tool usage
• Incident Reporting – How to report potential data exposure

Contract and Agreement Updates

• Client Confidentiality Agreements – Update NDAs to address AI processing
• Employee Contracts – Include AI usage obligations and restrictions
• Vendor Agreements – Review Microsoft DPA and subprocessor agreements
• Privacy Policies – Update to reflect AI data processing

Compliance and Risk Management Framework

Legal Basis Documentation

Document your lawful basis for AI processing under UK GDPR:

• Legitimate Interest Assessment (LIA) – Balance test for business AI usage
• Consent Management – Where required for personal data processing
• Contractual Necessity – AI processing essential for service delivery
• Legal Obligation – Regulatory requirements for AI governance

Data Protection Impact Assessment (DPIA)

Complete a DPIA addressing:

• Personal data types processed by AI systems
• Potential risks to data subject rights and freedoms
• Mitigation measures and safeguards
• Ongoing monitoring and review processes

Ongoing Monitoring Requirements

• Regular Access Reviews – Quarterly assessment of user permissions
• Data Classification Audits – Ensure appropriate content labeling
• Policy Compliance Monitoring – Track adherence to AI usage guidelines
• Incident Response Testing – Regular exercises for data exposure scenarios

Alternative AI Solutions to Consider

While evaluating Microsoft Copilot risks, consider these alternative approaches:

Self-Hosted AI Solutions

• On-premises deployment – Full control over data processing
• Private cloud hosting – Dedicated infrastructure for AI workloads
• Open-source models – Transparency in AI model training and operation

Specialized Business AI Tools

• Industry-specific solutions – AI tools designed for your sector
• Privacy-focused alternatives – Providers with stronger data protection commitments
• Hybrid approaches – Combine multiple AI tools with appropriate controls

Five-Step Deployment Roadmap

Professional Risk Assessment and Implementation

Given the complexity of Microsoft Copilot’s security implications, many businesses benefit from professional guidance to navigate deployment safely. Key areas where expert assistance proves valuable:

Technical Implementation Support

• Microsoft 365 Security Assessment – Comprehensive review of current data exposure risks
• DLP and Purview Configuration – Expert setup of technical controls and monitoring
• Conditional Access Design – Risk-based access controls tailored to your business
• Tenant Architecture Review – Optimal data segregation and access control strategies

Compliance and Legal Guidance

• UK GDPR Impact Assessment – Professional DPIA completion and legal review
• Contract Analysis and Updates – Ensure agreements reflect AI processing realities
• Regulatory Compliance Review – Industry-specific requirements and obligations
• Incident Response Planning – Prepare for potential AI-related data exposures

Conclusion: Balancing Innovation with Security

Microsoft Copilot represents a significant opportunity to enhance workplace productivity through AI assistance. However, the security, privacy, and compliance implications require careful consideration and planning before deployment.

The key is not to avoid AI innovation entirely, but to implement it responsibly with appropriate safeguards. By following the comprehensive framework outlined in this guide, businesses can:

• Protect confidential and sensitive information
• Maintain regulatory compliance
• Reduce legal and operational risks
• Enable productive AI usage where appropriate

Remember that AI security is an ongoing process, not a one-time setup. Regular reviews, updates, and improvements to your AI governance framework will be essential as both the technology and regulatory landscape continue to evolve.

Contact Pro Business today to discuss your Microsoft Copilot deployment strategy and ensure your business remains protected while embracing AI innovation responsibly.