Best practices for deploying multi-factor authentication on Microsoft networks

Microsoft will soon mandate MFA for some customers, and these are the key considerations before you deploy it.

Multifactor authentication  >  Mobile phone verification of a permission request for laptop login.
Aurilaki / Your Photo / Getty Images

Microsoft will soon change the mandate to multi-factor authentication (MFA) with changes to Microsoft 365 defaults. As Microsoft points out, “When we look at hacked accounts, more than 99.9% don’t have MFA, making them vulnerable to password spray, phishing and password reuse. “Based on usage patterns, we’ll start [mandating MFA] with organizations that are a good fit for security defaults. Specifically, we will start with customers who aren’t using Conditional Access, haven’t used security defaults before, and aren’t actively using legacy authentication clients.”

Microsoft will notify global admins of eligible tenants by email. “After security defaults are enabled, all users in the tenant are asked to register for MFA. Again, there is a grace period of 14 days for registration. Users are asked to register using the Microsoft Authenticator app, and global administrators are additionally asked for a phone number.” If you haven’t started MFA deployments, this is the time to do so. Attackers are using phishing attacks to go after unprotected accounts and MFA is a key way to protect user access.

Can you still disable multi-factor authentication should you decide to accept the risk? Yes, but this means your firm will be low-hanging fruit for phishing campaigns. User accounts and logins are the new entry point for many attacks in a network.

Determine multi-factor authentication method

MFA deployment means that you need to determine which authentication process you will support. Researchers often claim that SMS messages aren’t secure. Years ago attackers were able to bypass SMS based MFA using a reverse-proxy component. In reality, you just need to be secure enough.

As with many security decisions, you need to perform a risk analysis of who needs best, better and good-enough security. If you believe that some of your users will be targeted the use of MFA applications, you can use devices such as Yubikeys. Users and consultants might point out that MFA is not bulletproof. It can be attacked and spoofed. The idea is that you want to just be a little bit better than the next domain or cloud deployment.

Use conditional access rules

If you add Azure Active directory P1 license (already included in Microsoft 365 Business premium subscribers), you can add conditional access rules that allow you to provide for whitelisting locations. Thus, you can set up MFA for only remote users to protect remote email access. These conditional access policies can be more granular to allow users to resources while balancing the needs for MFA. For example:

  • Requiring MFA for users with administrative roles
  • Requiring MFA for Azure management tasks
  • Blocking sign-ins for users attempting to use legacy authentication protocols
  • Requiring trusted locations for Azure AD MFA registration
  • Blocking or granting access from specific locations
  • Blocking risky sign-in behaviors
  • Requiring organization-managed devices for specific applications

Assess user hardware requirements

When deploying MFA keep in mind the hardware you may need. You may need to provide cellular phones to your employees so they can use an MFA application. If you do not provide them with a cell phone and mandate MFA so that they have to use their personal phones, you may need to reimburse them for a reasonable use of their personal assets. States such as California, Illinois, Iowa, Massachusetts, Minnesota, Montana, New Hampshire, New York, Pennsylvania and the District of Columbia all have passed laws requiring employers to reimburse workers for work-related expenses such as the use of their personal phone in MFA. You can also deploy tokens such as Yubikey, which supports authentication with Azure AD.

Consider backup and redeployment needs

When deciding on the device or token, you also need to plan on backups and re-deployment. For example, it’s recommended to have at least two Yubikeys per user so that the person has a backup. Some deployments support more than two such tokens to the user account. If you use Microsoft Authenticator app, you may have to plan on backing it up using a local Microsoft account if you use an iPhone.

Also, migration between iPhone and Android is not a direct backup-and-restore process. Your backup is stored in the iCloud for iOS and in Microsoft's cloud storage provider for Android. This means that your backup is unavailable if you switch between Android and iOS devices. If you make the switch, you must manually recreate your accounts within the Microsoft Authenticator app. Ensure that you educate your users of MFA of these deployment issues ahead of time so that they know of the issues and plan accordingly.

Microsoft is pushing the bar to protect user authentication. Make it a priority this year to ensure that users are protected from such attacks. A mere username and password are no longer enough.

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.