Ideally, MFA should be enabled on all systems that store sensitive data or provide access to important business resources. This includes email accounts, Microsoft 365, cloud services, remote desktop solutions, VPNs and financial applications.

Implementing MFA across multiple systems creates a stronger overall security posture and reduces the risk of a single compromised account leading to a larger breach.