The number of orgs that have an outage rolling out enforced MFA is embarrassingly high. The right sequence is unglamorous and works.
Phase 1: Soft-Enable MFA
Setup -> Security -> Two-Factor Authentication. Enable but do not enforce. Push reps to enroll voluntarily for two weeks. Track adoption in admin panel. You’ll see 60-70% adopt without prompting.
Phase 2: Push OneAuth as the Default
Zoho OneAuth (their authenticator) is friction-free if reps already use Mail and CRM mobile. Provide a one-paragraph internal doc with screenshots. Discourage SMS — it’s the weakest factor and Zoho rate-limits it.
Recommended: OneAuth or hardware security key
Acceptable: TOTP (Google Authenticator, 1Password)
Last resort: SMSPhase 3: Enforce MFA Org-Wide
Once adoption hits ~85%, schedule the enforcement date 7 days out, communicate twice, and flip it. The remaining 15% will scramble at enforcement — staff your help desk that day.
Phase 4: Identity Provider for SSO
If you’re under 50 users, native MFA is enough. Above that, SAML SSO via Okta, Entra ID, or Google Workspace gives you central provisioning, deprovisioning, and conditional access.
Configure in Setup -> Identity Providers:
- ACS URL (provided by Zoho).
- Issuer.
- Certificate from your IdP.
- JIT provisioning ON (so new IdP users auto-create in Zoho).
Phase 5: Service Accounts for Integrations
API integrations break the moment you enforce MFA on the user account they authenticated as. Move every integration to a dedicated service-account user with API-only access, no MFA prompt, and a strong rotated credential.
This is the step orgs forget — and it’s why the integration team gets paged at 9am the morning after enforcement.
Phase 6: Conditional Access Rules
Once on SAML, layer conditional access:
- Block logins from countries you don’t operate in.
- Require device compliance for admin profiles.
- Force re-auth every 12 hours for users with broad data access.
Recovery Codes
Make recovery code distribution part of onboarding. The “I lost my phone” support ticket is preventable.
What to Do This Week
- Enable MFA in soft mode and announce a 14-day enrollment window.
- Move all integration users to dedicated service accounts.
- If 50+ users, scope a SAML SSO project with your IdP team.
- Set the enforcement date and overstaff the help desk that day.
