MFA enforcement is the single highest-leverage change you can make in most Cyvex orgs. The rollout sequence matters, though — flipping it on without preparation is the fastest way to generate a queue of locked-out support tickets from your CEO.

A safe rollout

Enable MFA as optional.
Announce a deadline (2 weeks is typical) and email users who haven't enrolled.
Reminder email 3 days before deadline.
Flip to enforced. Users without MFA configured are redirected to enrolment on next sign-in rather than locked out.

Backup method

Always configure a backup method (recovery codes or a second factor). Users will lose their primary device; if that's the only MFA, they need a support-assisted reset, which wastes everyone's time and weakens the control.

SSO interplay

If you use SSO, enforce MFA at the identity provider level rather than per-tool. One policy, applied everywhere, beats N per-tool policies that gradually drift apart.