Two tips to make multifactor authentication for Office 365 more effective

Here's how to set up "break glass" accounts for emergency admin access to Microsoft Office 365 and brand your Office 365 log-in page to foil fake pages.

access control / authentication / privileges / security
ipopba / Getty Images

Multifactor authentication (MFA) is a key tool in ensuring that your Office 365 – and any online application – will be secure in the cloud. For those with Microsoft 365 here are some tips to ensure you provide maximum protection to your Office 365 deployment without sacrificing usability.

Start by setting up the Microsoft Authenticator app on those accounts that you will mandate MFA. I recommend walking through the process and preparing screen shots and exact how-tos for users. They need to start at the setup site and log in with their credentials.

Then they need to download the Authenticator app from the app store on either the Apple or Android store. You’ll then need to add a work account. Get to this location by skipping over personal account and non-Microsoft account options. You can add multiple MFA user accounts to the Authenticator application and, if necessary, add the account to another device as a backup. Once you have set up Microsoft Authenticator, you are set to turn on and enforce MFA.

Setting up break glass accounts

If you mandate multifactor authentication throughout your organization including your global administrator accounts, you’ll want to ensure you have a way into your Azure and Office 365 accounts. If MFA logins are having an issue, you can log in and disable the feature.

You can also decide to whitelist your firm’s location (or multiple locations) and static IP, excluding them from MFA. This comes in handy if you work in one of several states that mandate the reimbursement of the use of phones for business purposes. If your staff uses phones to log into business devices via MFA, there is a clear need for the business use of a phone.

Start by logging into your Microsoft 365 account and set up at least two “break glass” accounts. Make them global administrators and use a password generation tool (or your password saving tool) to generate a long complex password. The account can support up to 256 characters. Make a password of at least 100 characters. Then set up a conditional access policy mandating that MFA exclude these two accounts from the policy.

bradley mfa tips 1 Susan Bradley

Setting up a break glass account

If you have access to Azure Log Analytics, you can set an alert to be sent when someone logs into a break glass account. However, the pricing for this product may not work for smaller organizations.

Set up a conditional access policy that excludes these emergency access accounts as noted by Microsoft by following this guidance:

First, sign into the Azure portal as a global administrator, security administrator or conditional access administrator. Then browse to “Azure Active Directory,” then to “Security,” then to “Conditional Access.” Select “New policy.” Name your policy—e.g., “ALLOW - Require MFA for Admins.” Then in assignments, select “Users and groups”. Under “Include,” select “Directory roles (preview)” and choose the following roles at a minimum:

  • Billing administrator
  • Conditional Access administrator
  • Exchange administrator
  • Global administrator
  • Helpdesk administrator
  • Password administrator
  • Security administrator
  • SharePoint administrator
  • User administrator
bradley mfa tips 2 Susan Bradley

Set MFA policy

Under “Exclude,” select “Users and groups” and choose the emergency access or break-glass accounts. In this example, I set up a group called “Excluded from Conditional Access.”

bradley mfa tips 3 Susan Bradley

Exclude break glass accounts from MFA

Select “Done.” Under “Cloud apps or actions,” choose “Include,” select “All cloud apps,” and select “Done.” Under “Access controls” choose “Grant,” select “Grant access,” “Require multifactor authentication,” and select “Select.” Confirm your settings and set “Enable policy” to “On.”

Select “Create” to create to enable your policy. You will be warned to be sure that you want to apply this policy as it will mandate MFA. Ensure that MFA is enabled on the main account before you enable this policy.

bradley mfa tips 4 Susan Bradley

MFA warning

You might also have to add third-party vendor cloud backup accounts that use application passwords rather than MFA. Ensure that any vendor that requires you to exclude them from MFA follows policies of application passwords or long passphrases.

Limit logging into these “break glass” accounts unless it’s an absolute emergency and only log into this account using a workstation that you know is clean and secure, or consider using a virtual machine set up specifically for this emergency use to ensure that credentials can’t be harvested.

Company branding

Another best practice that I’ve borrowed from Alex Field’s security best practice guides is to “brand” the password log-in page. To brand the Microsoft account process, go to Azure Active Directory Admin Center and scroll down for “Company Branding.” Upload a company logo to both the background image and banner logo. Inform your users that they should expect your corporate logo on these pages and that they should never enter their credentials unless they see the corporate logo.

bradley mfa tips 5 Susan Bradley

Set up custom branding

Setting up custom branding to your Office 365 ensures that when your users log into their 365 accounts, you can help them make smarter decisions. Instead of the normal Microsoft password landing page, the resulting log in page will better inform your users of what page to trust.

bradley mfa tips 6 Susan Bradley

Company-branded log-in page

As you can see from above, the resulting page informs your users of trusted pages. If you are a large company that is scammed, you might consider setting up rotating branding that is communicated to your users on a regular basis.

These two hints will help to protect and secure both user accounts and administrator accounts for your Office 365 subscriptions.

Don’t forget to sign up for TechTalk from IDG the new YouTube channel for tech news of the day.

Copyright © 2020 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.