← Back to blog
·9 min read

How to Set Up SSO and MFA for a Small Team

A practical guide to setting up single sign-on and multi-factor authentication for small teams. No enterprise budget required.

SSO and MFA are two of those things that sound enterprise-y until you understand what they actually do. Then they sound essential. Because they are.

If you have a team of any size and you're not using both, you're leaving the front door of your company unlocked. Here's how to set them up without overcomplicating it.

What SSO and MFA actually are

Single Sign-On (SSO) means your employees log into all their work tools using one set of credentials. Instead of separate passwords for Slack, Notion, Figma, and 20 other apps, they authenticate once through your identity provider (Google Workspace, Okta, or Entra ID) and get access to everything.

Multi-Factor Authentication (MFA) adds a second step to that login. After entering their password, the user proves their identity with something they have: usually a code from an authenticator app or a tap on a hardware security key.

Why they matter together

SSO without MFA is a single point of failure. If someone compromises that one password, they get access to everything. SSO makes the password more valuable, which makes it more important to protect.

MFA without SSO means your team has MFA on some tools but not others. The tools without MFA are the weak link.

Together, they create a system where there's one set of credentials (convenient for your team), protected by a second factor (secure against compromised passwords), connected to all your tools (manageable for IT).

This combination also gives you a kill switch. When someone leaves, you disable their SSO account and they lose access to every connected tool. No more chasing down 20 different app logins during offboarding.

The options for small teams

You don't need an expensive identity platform. Most small teams already have what they need.

Google Workspace as your identity provider

Cost: Free (included with any Google Workspace plan)

Best for: Teams under 50 people already on Google Workspace.

Google Workspace can act as a SAML identity provider, which means your employees can use their Google login to authenticate with third-party apps. Many popular SaaS tools support Google SSO natively: Slack, Notion, Figma, Zoom, Linear, and dozens more.

The limitation is that Google's built-in SSO only works with apps that support SAML or OIDC. Most modern SaaS tools do, but some older or niche applications don't.

Okta

Cost: Starts at $2/user/month for SSO, $3/user/month with MFA

Best for: Teams of 50+ or teams with complex SSO requirements.

Okta is the dedicated identity platform. It supports more apps, more protocols, and more configuration options than Google's built-in SSO. Features like lifecycle management (automatically provision and deprovision app access when someone joins or leaves) become valuable at scale.

The cost is reasonable, but it's another tool to manage. For teams under 50, Google Workspace SSO usually handles everything you need.

Microsoft Entra ID

Cost: Included with Microsoft 365 Business Premium ($22/user/month)

Best for: Teams already on Microsoft 365.

If you're in the Microsoft ecosystem, Entra ID (formerly Azure Active Directory) is the natural choice. It provides SSO, MFA, and conditional access policies. The feature set is comparable to Okta for most small team use cases.

My recommendation

Start with Google Workspace SSO if you're already on Google. It handles the common cases, costs nothing extra, and takes an afternoon to set up. Move to Okta when you outgrow it, typically around 50 people or when you need advanced lifecycle automation.

Step by step: Google Workspace SSO

Here's how to set up SSO for your most critical apps using Google Workspace as the identity provider.

Step 1: Enable SSO in Google Admin

Go to Admin console > Security > Authentication > SSO with SAML applications. This is where you'll configure each connected app.

Step 2: Connect Slack

In Slack, go to your Workspace Settings > Authentication. Select "SAML authentication" and configure it with Google as the IdP. You'll need to:

  1. In Google Admin, click "Add custom SAML app" and select Slack from the pre-built catalog.
  2. Copy the SSO URL, Entity ID, and Certificate from Google into Slack's SAML settings.
  3. Set "Required" so all users must authenticate through Google.

Once enabled, employees click "Sign in with Google" on Slack's login page. No separate Slack password needed.

Step 3: Connect Notion

Notion supports SAML SSO on its Business plan and above. The setup is similar:

  1. In Google Admin, add Notion as a custom SAML app.
  2. In Notion Settings > Security and Identity > SAML Single Sign-On, enter the IdP details from Google.
  3. Configure the attribute mapping (email address is the key field).

Step 4: Repeat for other apps

Follow the same pattern for Figma, Linear, Zoom, and any other apps that support SAML. Most have documentation for Google Workspace SSO specifically.

For apps that don't support SAML but do support "Sign in with Google" through OAuth, that's also fine. It's not technically SSO in the traditional sense, but it achieves the same goal: one login, centralized access control.

Step 5: Audit what's not connected

After connecting your major apps, make a list of tools that don't support SSO. These are your gaps. For each one, decide:

  • Can we connect it via SAML or OAuth? (Check the app's admin settings)
  • Is there an alternative tool that does support SSO? (Consider switching)
  • Is this tool critical enough that we accept the gap? (Use strong, unique passwords via your password manager)

The goal is to get as many tools as possible behind SSO. The more apps connected, the more effective your kill switch during offboarding.

Enforcing MFA

Once SSO is configured, enforce MFA on the identity provider. This protects the single credentials that now control access to everything.

Which MFA method to use

Authenticator apps (recommended). Google Authenticator, Microsoft Authenticator, Authy, or 1Password's built-in TOTP. These generate time-based codes that change every 30 seconds.

Hardware security keys (most secure). YubiKeys or Google Titan keys. The user physically taps the key to authenticate. This is the most phishing-resistant option because the key verifies it's talking to the legitimate site.

SMS codes (avoid). SMS-based verification is vulnerable to SIM swapping attacks. An attacker can port your phone number to their SIM card and receive your verification codes. Don't use SMS as your only MFA method.

How to enforce MFA in Google Workspace

  1. Go to Admin console > Security > Authentication > 2-step verification.
  2. Set "Allow users to turn on 2-step verification" to On.
  3. Set "Enforcement" to On for your entire organization.
  4. Set "New user enrollment period" to 1 week (this gives new hires time to set up MFA after their account is created).
  5. Under "Methods," allow everything except SMS/phone call verification.

Rolling it out to your team

The rollout matters as much as the technical setup. Do it wrong and you'll be dealing with complaints for weeks.

Announce it before enforcement. Send a company-wide message explaining what's changing and why. Be specific: "Starting next Monday, everyone will need to set up an authenticator app for their Google login. This takes 3 minutes and protects your account from being compromised."

Provide instructions. Create a short guide with screenshots showing how to set up the authenticator app. Include both iOS and Android instructions. Link to it in your announcement.

Give a grace period. Set the enforcement date one week out. This gives people time to set up at their own pace. Send a reminder at the halfway point.

Offer help. Some people will have questions. Have someone available in Slack to help during the rollout week. Most issues are simple: "I can't find the QR code" or "my authenticator isn't generating codes."

Don't apologize for requiring it. MFA is basic security hygiene. Frame it as protecting their accounts, not creating inconvenience.

Recovery planning

The most common objection to MFA is: "What if I lose my phone?" It's a valid concern. Plan for it.

Backup codes

When setting up MFA, Google generates backup codes. Every employee should save these somewhere secure (their 1Password vault is ideal). These one-time codes work when the authenticator app isn't available.

Admin recovery

As a Google Workspace admin, you can generate new backup codes for any user or temporarily disable their MFA to let them set up a new device. This is the safety net.

Hardware key backup

If you use hardware security keys, register two per user. Keep the second in a safe place at home. If the primary key is lost, the backup provides access while you replace it.

Document the recovery process

Write down the steps for "I lost my MFA device." Make sure at least two people know how to execute the admin-side recovery. Don't let this knowledge live in one person's head.

Common mistakes

Forcing too much, too fast. Enforcing MFA, requiring hardware keys, blocking all legacy auth, and tightening password policies simultaneously is overwhelming. Start with MFA enforcement via authenticator apps. Add complexity later.

Not generating backup codes. If an employee loses their phone and doesn't have backup codes, they're locked out. Make backup code generation part of the setup process.

SMS as the only MFA method. This is barely better than no MFA. Always prefer authenticator apps or hardware keys.

Not connecting apps to SSO. If employees still have separate passwords for half their tools, you've only solved half the problem. Aim to connect every possible app.

Skipping the communication. Technical rollouts fail when people don't understand what's happening. Over-communicate during the initial setup. It saves you from a wave of support requests.

What this enables

With SSO and MFA in place, you unlock some important capabilities:

  • Clean offboarding. Disable one account, revoke access to everything.
  • Access visibility. See which apps each employee can access in one place.
  • Conditional access. Eventually, you can require devices to be MDM-enrolled and compliant before allowing login.
  • Reduced password fatigue. Your team remembers one password, not twenty.

This is foundational work. Everything else in your IT stack builds on top of it.

If you want someone to set all of this up for you, configure it properly, and manage it going forward, book a call. I'll walk through your current setup and tell you exactly what needs to happen.

Related posts

·8 min read

How to Set Up MDM for a Small Business

A step-by-step guide to choosing and deploying mobile device management for your small business. Kandji vs Jamf vs Intune compared.

mdmdevice managementsecuritysmall business
·6 min read

Your Ex-Employees Probably Still Have Access to Everything

Most companies never fully revoke access when someone leaves. Here's why it happens and how to fix it before it costs you.

securityoffboardingaccess managementsaas
·8 min read

The IT Mistakes Every Remote Startup Makes

The 10 most common IT mistakes remote startups make, why they happen, and exactly how to fix each one.

startupsit mistakesremote teamssecurity