How to set up multifactor authentication for Office 365 users

Requiring MFA for some or all Microsoft Office 365 users will better protect your network and email system from attacks.

secure two-step authentication via laptop and mobile phone

This Microsoft Office 365 security tip covers one of the best settings you can do, but might get you in the doghouse with your users: multifactor authentication (MFA). Face it, using passwords alone can be dangerous. If a single password is cracked, attackers could have their way in your system and you’d probably not be alerted to their access. Enabling Azure MFA for Office 365 users ensures that if access occurs from an unusual location, it will be blocked until the user provides additional verification.

Too often end users reuse the same username and password on various websites. They might use their normal domain password on multiple websites. Think your domain isn’t at risk now? Try out a sample username and password on the site haveibeenpwned to see if you are already at risk. This site is set up by a security researcher and sites such as Github use it to check on the quality of passwords.

You can set up MFA on individual users or for all users. If you’d like all users, you can set it up from Microsoft’s Secure Score site. To enable MFA on Office 365 admin site go to the Microsoft Admin Portal, and then go to “Users”, “Active users”. Choose “More” and then “Multifactor Authentication setup”. If you are not a global admin you won’t see the “More” option.

bradley mfa 1 Microsoft

Office 365 admin center - review MFA setup

I’m assuming that you will choose multifactor authentication with cloud services only and not by setting up a local authentication server, but you may review your options and requirements before setting up your options.

In this next screen you can bulk update all users to use MFA, or you can choose one at a time. If you are setting up MFA for the first time, I recommend testing out MFA before fully implementing it company-wide.

bradley mfa 2 Microsoft

Enable MFA

Once you’ve enabled MFA, send the users to Microsoft’s MFA Setup site to complete the process. They will sign in and be prompted to set up additional authentication:

bradley mfa 3 Microsoft

User MFA setup screen

You can set up a code to be sent via SMS to your cell or by a call to your office phone. You can also set up an authentication app on users’ phones. The Microsoft Authenticator app can be used as the default MFA tool for many applications, not just Microsoft applications.

The next step to be aware of is the application password. Once MFA is enabled, desktop applications and native iPhone and Android email apps won’t connect. You will need to switch to the Outlook apps on the phones rather than the native email apps on those platforms and enable an app password, which is a special code that an application uses to gain access to the Office 365 account. Even if you are using versions of Outlook older than the 2016 and 2019 platforms, you need an app password to provide authentication for the software to access your account.

Ensure that you send instructions to users to set up MFA for the account, as well as instructions for setting up the app password. You might even need to use an app password in other platforms that won’t support the Microsoft MFA.

If you have any users that use Outlook/Office for Home and need to enable MFA, you can set a registry key to enable the support. If you want to set up the requirement through the Office Secure Score dashboard, you can launch the console and then click on “New policy” and create a policy that requires MFA for all users and all apps. The console will note how many users do not have two-factor authentication enabled.

Final MFA notes

A recent Azure MFA outage left many users unable to log into their accounts. You might want a means to temporally disable MFA during such incidents. Be aware that issues do occur and plan on alternatives.

Review Office 365 Secure Score regularly as it will inform you of upcoming baseline actions. For example, one future change will require MFA for all global admins.

bradley mfa 4 Microsoft

Baseline policy, setting up MFA for global admins

Bottom line: MFA is a needed enhancement and I recommend that you start testing how you might deploy and use it now. It will keep your network and email protected from attacks.

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)