Microsoft has begun rolling out multifactor authentication (MFA) to their Office 365 suite of apps and services, which addresses the use cases for this type of access control.
Multi-factor authentication for office 365 is a process that allows users to control access to their Office 365 services. It requires two or more forms of authentication, such as a password and an app on your phone.
Identity-related attacks are common, and they may lead to user accounts being hacked. Phishing and password spray are two instances of identity threats. Assailants are growing more inventive and astute. A single person who isn’t well-informed about the hazards of threats like phishing might be the gateway to these nefarious actions. As a result, Office 365 MFA exists.
Multi-factor Authentication, or MFA, is one of the security layers offered to safeguard Office 365 customers’ identities. MFA involves several levels of authentication, as the name indicates. These are typical examples:
- Something you’re aware of (password, PIN)
- You have something (security key, token generator)
- anything you’re doing (biometrics; face, fingerprint)
Consider MFA to be a vitamin that you consume. You don’t like it, and it may be irritating at times. They are, however, what protects you from the nasties. The premise is that avoiding credential theft is preferable than responding to it after it has occurred.
In this article, you’ll learn how to utilize MFA and conditional rules to limit access to services in Microsoft Office 365.
Note: The word Microsoft 365 has superseded the term Office 365. In this article, you’ll notice that the terms Microsoft 365 and Office 365 are used interchangeably.
Prerequisites
The assumption in this post is that you are familiar with Office 365 and Azure Active Directory. You’ll need admin access to an Office 365 tenant, ideally a test tenancy, to follow along with the examples. Using your production Office 365 tenant is highly discouraged.
Enforcing Multi-factor Authentication Using Security Defaults
Turning on the security defaults in Azure Active Directory is one approach to set up multi-factor authentication for Office 365. Turning on security defaults in your Office 365 tenancy implies enabling a set of predefined security settings.
The following security options are available:
- Administrators are now required to use multi-factor authentication. MFA is used to safeguard Office 365 admin accounts as a more secure means of identity verification.
- All users are required to utilize multi-factor authentication. MFA in Office 365 is needed for all users.
- Legacy authentication is being blocked. Any authentication attempts will be banned for client applications that do not utilize current authentication or that use older protocols like IMAP or POP3.
- Keeping privileged activities safe. This is true if you want to manage your tenancy using Azure Resource Manager. Anyone who wants to use the Azure Resource Manager will have to provide an extra authentication method.
Note: Security defaults may be activated in your Microsoft 365 Tenant if it was formed on or after October 22nd, 2019.
Before enabling security defaults, there are a few things to think about.
After reading the four bullet points above, you should see that although enabling the security settings has many advantages, the possible consequences must be weighed. Careful preparation is required to guarantee that Office 365 access is not disrupted.
When you have PowerShell scripts that are used for automation, one of the circumstances you should examine before activating security defaults is when you have PowerShell scripts. Those scripts may cease functioning after you activate the security defaults.
If contemporary authentication is not enabled in Exchange Online, there is another possible consequence. Outlook clients will not be able to use MFA to authenticate. Users will be unable to access their mails as a result of this circumstance, which will result in log in loops.
Note that using security defaults does not provide you fine-grained control over the security settings that apply to the whole company. Only an on-off sort of setting is available.
Using Azure Active Directory to Enable Security Defaults
Disclaimer: The purpose of this post is not to advise you on whether or not you should activate security defaults in your Office 365 tenancy. This article focuses only on the “how.” It is your choice whether or not to activate security defaults.
Toggling a single switch is all it takes to enable security defaults. In truth, the procedure only requires the flipping of a single switch.
Follow these steps to switch on security defaults and activate MFA in Office 365 after you’ve considered all of your options and done some thorough preparation.
- To begin, go to the Azure Active Directory admin center and log in.
- Then, go to Azure Active Directory —> Properties.
- Then, at the bottom of the Properties page, choose the Manage Security Defaults option.
- Finally, under the Enable Security Defaults fly-out, choose Yes and then Save.
You can see an example of this in the video below. As you can see, towards the bottom of the page, you should notice a confirmation that the default policy has been preserved.
Using Azure AD to enable security defaults
The Office 365 MFA Setup Experience was put to the test.
When MFA is activated, what happens next? Will users be locked out immediately, or will they have the choice to remain without MFA for a certain period of time? This section will tell you everything about it.
Any administrator worth their salt would take the additional step(s) to validate that whatever settings they’ve put in place truly function, just as they would with any other configuration modification.
MFA will not be seen immediately once by users, particularly if they are already signed in to Office 365. However, customers will get an extra log in notification like the one below the next time they are needed to check in to Microsoft 365.
After activating MFA, further information is requested.
The user is offered various alternatives, as you can see in the figure above. For the time being, the Skip for Now option allows the user to log in without having MFA until the grace period expires. If the user, on the other hand, selects Next, the process of setting up their account for MFA will begin.
Let’s pretend the user pressed the Next button. In most cases, the user may additionally select a phone number to which the authentication code can be sent as a text message. However, in the example below, the user chose to utilize the Microsoft authenticator app.
On a mobile device, install an authentication app.
Every time a user signs in to Office 365 after this point, they will be required to approve or supply a code in order to pass the authentication.
App passwords may be used instead of contemporary authentication and MFA for older applications and protocols that do not support it. Visit Create an app password for Microsoft 365 for more details.
Enforcing Multi-factor Authentication with Conditional Access Policies
Using conditional policies gives you greater flexibility over security setups than using security defaults, which apply changes uniformly across all tenants. Conditional access rules, on the other hand, need an Azure AD Premium (P1) subscription.
The following are some instances of granular control that conditional policies may provide:
- Select which Office 365 resources will need multi-factor authentication.
- Allow access to resources only if they come from a trustworthy source.
- Approved applications must be specified in order to access Office 365 services like Exchange Online and SharePoint Online.
The situations listed above are only a few examples of how conditional access controls might be used. The examples in the following sections will teach you how to design conditional policies and test them.
Note that using conditional access restrictions necessitates disabling the security settings. This implies that MFA in Office 365 will be disabled until you activate your new conditional policies.
Using Office 365’s Conditional Access Policy to Enable MFA
There may be occasions when your company decides that just a certain service requires MFA protection. You’ll learn how to establish a sample conditional access policy that only requires MFA while using Exchange Online in this example.
If your tenant’s security defaults are enabled, Conditional Access rules can only be established in Report-Only mode. Before enabling conditional access controls, you must first deactivate security defaults. If you don’t, you’ll get a notice similar to the one below.
Security defaults are still enabled, so be aware.
To create a new conditional access policy, log in to the Azure Active Directory admin center. Then, go to Azure Active Directory —> Security. You see the Conditional Access | Policies page like the one shown below. Click on the New policy button to start creating a new policy.
Page for conditional access policies
After that, establish a policy using the following parameters:
- Require Multi-Factor Authentication (MFA) for Exchange Online
- All Users’ Assignments (no exclusions)
- Office 365 Exchange Online is a cloud-based software or operation.
- Multi-factor authentication should be required.
- Activate policy: Yes
To establish the new policy, follow the steps outlined below.
Make a policy that is conditional.
As you can see in the example above, a conditional policy called Require MFA for Exchange Online was established and enabled. When signing in to Exchange Online, the policy is applied to all users based on the policy settings, and MFA is needed.
MFA Enforcement of the Conditional Access Policy
Users will be compelled to register and set up their MFA credentials if multi-factor authentication is enabled through a conditional access policy.
Before employing conditional access restrictions, unlike when MFA was enabled by default, there is no possibility to bypass the MFA registration.
Security Defaults vs. Conditional Access Policy in Multi-Factor Authentication
The user must authorize the sign-in request using the Microsoft Authenticator app in order to log in to Exchange Online, as seen in the example below.
MFA is required to access Exchange Online.
In contrast, as seen in the example below, signing in to the SharePoint Online site does not need MFA.
Using Sharepoint Online to Login
This is just one example of how conditional access controls may be used to limit Office 365 access and enable MFA. Here are some additional things you might try at this point:
- To enforce MFA, make SharePoint Online a conditional policy target.
- When accessing Exchange Online, MFA should be required, but only if the source is a browser (OWA). MFA should not be used if access is obtained using the Outlook Desktop Client.
- Create a policy that only allows authorized Office 365 mobile applications (e.g., Outlook for iOS/Android) to access Exchange Online and SharePoint Online.
Multi-factor Authentication Registration Reset
Microsoft provides a number of publications outlining how to resolve MFA-related issues. You may read those articles by clicking on the following links:
There will be instances when a user’s MFA registration needs be reset for reasons other than those indicated above. When a user changes phones or phone numbers, an MFA reset is required.
Admins may also reset the MFA registration for users if they are unable to sign in due to not meeting the MFA sign-in criteria. During their next sign-in attempt, the user will be required to register with MFA again.
There are a few options for resetting a user’s MFA registration.
Using the Microsoft 365 Admin Center to Reset MFA Registration
To reset a user’s MFA registration, log in to the Microsoft 365 Admin Center. Then, go to Users —> Active Users and click on the Multi-factor authentication button.
You will be sent to the page for multi-factor authentication. Select the user’s name from the drop-down menu, then click the Manage user settings link. Select Require selected users to give contact methods again from the drop-down menu, then click Save. See the video below for an example.
From the Microsoft 365 Admin Center, reset the user’s MFA registration.
Using the Azure Active Directory Admin Center to reset MFA Registration
The Azure Active Directory Admin Center may also be used to delete the MFA registration.
To reset the MFA registration using this method, go to Active Directory —> Users. Then, click on the user from the list. Once in the user’s properties page, scroll down until you see the link that says Authentication Methods and click on it. Lastly, click on the Require re-register MFA button.
To learn how to reset the MFA registration, see the video below.
Using the Azure Active Directory admin center, reset the user’s MFA registration.
Using Office 365 PowerShell to Reset MFA Registration
Using Powershell to connect to Office 365 is required for this procedure. Copy the code below and paste it into your PowerShell console to execute it once your PowerShell session is up and running.
Make careful you alter the $upn variable’s value to the user’s accurate user principal name first. To learn more about what each line of command accomplishes, look at the comments above it.
$upn = ‘[email protected]’ $upn = ‘[email protected]’ $upn = ‘[email protected]’ $upn = ‘[email $upn Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $upn Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $upn Reset-MsolStrongAuthenticationMethodB
If the code above was successful, no output should be shown on the screen. The result would be similar to the example below.
Using Powershell to connect to Office 365
Conclusion
You’ve learnt that there are several ways to activate multi-factor authentication for your Microsoft 365 customers in this post. The MFA techniques previously provided in Office 365 and Azure AD are used in these two choices – security defaults and conditional access rules.
You’ve also discovered that the MFA user experience varies depending on how MFA was activated. MFA is enabled tenant-wide by security settings, with no options for modification.
When you use conditional access rules to enforce MFA, you may manage access to Office 365 services in a variety of ways. This solution, however, requires an Azure AD Premium subscription, which is not always available to all companies.
You also learnt a couple alternative methods for resetting the users’ MFA registration. The Microsoft 365 admin center, Azure Active Directory admin center, and Office 365 PowerShell are all options for resetting MFA.
I hope the information in this post has helped you understand how MFA may assist your company safeguard users from identity-related threats. If you have questions or issues regarding MFA in the future, you may not need to contact Office support representatives right immediately. Instead, test things out on your own.
Additional Reading
The “office 365 two-factor authentication” is a way to control access to Office 365 Services with MFA. The user will need an app on their phone or tablet, and the password for their account.
Frequently Asked Questions
How do I create a Conditional Access policy for MFA?
A: You can create a Conditional Access policy for MFA by following these steps.
Can we lock down access to Office 365 to our company offices?
A: If your company has a strict policy on how they want to use Office 365, you can restrict access using Microsoft Azures Role-Based Access Control.
How do I enforce an MFA in Office 365?
A: Enforcing an MFA in Office 365 is a tricky task. The best way to enforce this would be through your organizations Azure AD configuration, but if youre not technical enough for that or dont have access to the necessary information it can be complicated and take some time to figure out how. To get started with Office 365 security, while protecting company data from phishing attacks online, Microsoft recommends leveraging their 360-Degree of Security service where they will scan all email messages entering and exiting your network for malicious content.
Related Tags
- office 365 mfa user guide pdf
- enable multi factor authentication office 365
- setup mfa office 365 end user
- mfa registration page microsoft authenticator
- aka.ms/mfa setup