How to enable multifactor authentication (MFA) on Microsoft Office 365

Simplify user journeys with MFA

Multi-Factor Authentication is tool in Office 365 and Azure that requires a user to provide an extra form of authentication when signing in. The traditional authentication flow is a team member will provide their username and then password. Using Multi Factor authentication the person will then have to provide another means of authentication, which could be as SMS message sent to a mobile number they had previously provided, or require a numerical code from a mobile app or hardware token.

By taking this approach, we are wanting to add another layer of protection against accounts. Given the team would have provided the mobile number prior to the login request for MFA, we assume we have built a relationship with them, trusting only they have their mobile. While not completely fool proof, it does provide another layer of protection. Given the amount of phishing and brute force hacking attempts we see on any given day, Multi Factor is a must have service to help protect user accounts.

From a user’s perspective, the impact on their day to day work is very little. All Office 365 services now support MFA across all platforms using Azure, as long as you are running the supported versions of products (except SharePoint Designer, more on that later). Under the Multi Factor settings you can set the period of time the authentication lives for on a given design. For example, you sign into SharePoint Online from a web browser, you will be required to supply your username and password, and then the MFA token. Done, you are now authenticated for as long as your token it set to survive. If you were to then login from your home PC for example, you would have to login again as that is a new device.

How to get access to Multi Factor Authentication

Users will need to have an Office 365 License to use Multi factor authentication, there are some additional licensing requirements depending on how you want to manage users or the conditions under which they must use MFA. You can apply multi factor to both internal and external users. This is great if you are using external sharing and want to ensure your content is still governed and secured.

To Setup MFA users will need a device, most commonly a mobile phone. There is the ability to connect a hardware token, but everyone has a mobile phone so why not use it. From the phone you have three options for Multi Factor Authentication: Voice Call, SMS with verification code or the Microsoft Authenticator app.

Side note: App passwords

There are still some applications that don’t support Multi Factor, SharePoint Designer is a great example. SPD only supports username and password authentication. To allow you to still use this application, you need to create an app password. From your account page, you can create an App Password. This can be restricted by a global administration but is handy in a few situations. An App Password is simply a password that also works for your account. Once you create it, you will only see it once. If you forget it, you will need to delete it and create a few one.

Setup MFA for a single user

If you are testing, or only want to enable MFA for a select group of users, this is going to be your best option. From here you can select a user or number of users for MFA. Good way to test your setup or apply Multi Factor for members of a team, commonly used to make everyone in IT use Multi Factor given their privileged access to many systems.

To setup MFA for individual users, follow these simple steps;

1.      Go to the Azure Active Directory page in the Azure Portal

1.      Click on users on the left, and from the top menu select Multi Factor Authentication

1.      From here you can select the user or users you want to set to use Multi Factor. Click on the user checkbox next to their name and then enable on the right hand side. Select Enable again in the pop-up box. You can grab the link from this popup box https://aka.ms/mfasetup to send to users which will guide them through the setup process.

enable users

Multi Factor service settings

Back in the Multi Factor Authentication page, you can also access the service settings from the menu under the page title. From here you can manage the settings that apply to all users;

  • All users to create app passwords
  • Create a list a trusted IP’s, so if someone is logging in from one of these IP’s they are not required to use Multi Factor Authentication
  • Types of authentication methods available. Phone, SMS, App and Hardware Token
  • How long the session can last on a device before they are required to re-authenticate.
MFA service settings

Creating a conditional access policy

To be able to create conditional access policies, you will require an Azure Active Directory P1 plan. This does come with some Microsoft 365 (E3) plans and above or can be purchased on top of your existing Office 365 plan.

If you want everyone to have MFA and have some rules against which users or groups will have MFA applied to them, this is the best path forward. When you create a rule you can exclude users, apps, IP addresses and locations easily.

1. Open the Conditional Access Settings in the Azure Portal. You will see there are some sample policies there. Most of these however have been deprecated, so let’s create something from scratch

conditional access policies
2. Select New Policy from the top menu. In this example we are going to enable Multi Factor for everyone, including external users.
create mfa policy

3. Under Cloud Apps or Actions, select all cloud Apps. For testing you could select a single app like Outlook if you with. However testing would be easier with a select group of users and all apps.

4. Select Users and Groups, and select all uses. Note the warning message, you don’t want to lock yourself out so have your phone handy.

5. Under Access Controls, select Grant. In the pop up window select Require Multi-factor Authentication. Click select.

6. No when you go to create the policy you can either report-only (What-If scenario) on or off. Lets select report only for now and click save.

7. Back at the conditional access policies window select What If from the top menu. This will allow you to test the policy against a user. Select a User, and click What If. You should see the policy appear if all was configured correctly.

So that’s it, you can now secure your account or all accounts using Multi Factor Authentication in Office 365. Very simple to setup and provides a huge security benefit to everyone and all the content in your organisation, and you are most likely already licensed for it.