In recent years we’ve seen a huge shift from on-premise to cloud-based environments, and with this shift came a number of security challenges – the most notable being that anyone could theoretically login to a privileged user account from practically anywhere in the world.
This meant that organizations had to focus their attention on ensuring that the authentication methods they used were robust enough to prevent adversaries from compromising their user accounts.
What is Multi-Factor Authentication (MFA) in Office 365?
Unlike traditional methods of authentication, which only require a username and password, multi-factor authentication (MFA) requires additional factors, which typically include a combination of something you know, something you have and something you are.
As such, were an adversary to steal of brute-force a users’ password, they still wouldn’t be able to login as they wouldn’t be able to provide the additional factors required to successfully authenticate.
The good news is that Office 365 provides multi-factor authentication out-of-the-box, and you do not need to pay for any additional license to use it. That said, there is an enhanced version of MFA in the Enterprise Mobility + Security Suite (EMS), which you will need to purchase a license for.
What Are the Benefits of MFA?
According to the Verizon Business 2020 Data Breach Investigations Report, “37 percent of credential theft breaches used stolen or weak credentials”, and in North America, “the technique most commonly leveraged was stolen credentials, accounting for over 79 percent of hacking breaches”. It is clearly important that businesses leverage the most robust authentication protocols available to them. Below are some of the main benefits that enabling MFA in Office 365 can bring.
- It reduces the chance of identity theft, which is a growing threat to all businesses.
- It makes stolen passwords less useful to attackers, which in turn reduces the incentive for them to target a given network.
- MFA is a simple, affordable, and effective way to bolster security, which makes it a good choice for small companies.
- Other security solutions, such as anti-virus, SIEM, DLP, firewalls, and intrusion prevention systems, are only as secure as the authentication methods used to protect them.
- As data privacy regulations become increasingly more stringent, it’s possible that the use of MFA to protect user accounts will become mandatory for organizations that collect, process, and store large amounts of sensitive personal data.
Multi-Factor Authentication Methods in Office 365
Office 365 provides a variety of MFA methods, which include:
Authentication by personal phone (call or text)
This MFA method is where the user receives either a phone call or a text message. If you select the “call” option, an autonomous agent will ask you to press the pound sign (#) to confirm your identity. If you choose to receive a text message, you will be sent a text that contains a 6-digit one-time password (OTP), which you will need to enter on the login page. You will also be asked to provide a backup number, which will be used if the first phone number is not answered or goes to voicemail. Authenticating by phone means you must have your phone on you every time you want to login, which isn’t always convenient, especially if you were to lose your mobile device.
Authentication by office phone
When you select this option, you will receive a phone call to an office phone extension. As above, to complete the sign-in process you will be prompted to press # on your keypad.
Microsoft Authenticator App
The Microsoft Authenticator App is said to provide the best user experience when using MFA. You can download and install the app from the following address. When trying to authenticate using the Microsoft Authenticator App, the user will receive a notification on their device where they will be asked to approve or deny the authentication request. Alternatively, they will also have the option to receive a verification code that updates every 30 seconds, which they will need to enter in order to login.
How to Set Up Multi-Factor Authentication in Office 365
Firstly, you will need to be a global administrator in order to enable MFA in Office 365. Once you have logged in, you will need to complete the following steps:
- Go to the Admin Center.
- Click on “Active Users” on the left navigation pane and expand Users.
- Expand the tab that says “More” and click on “Setup Azure multi-factor auth”.
- Select the users from the list you want to enable MFA for and click “Enable”. You can also check the box next to DISPLAY NAME, which will select all users.
NOTE: Administrators have the option of enabling MFA on user accounts where the user has yet to complete the registration process. In this scenario, the user will be prompted to choose their second verification method when they sign in.
Signing in with Office 365 MFA
- Go to your Office 365 portal, enter your username, and click “Next” to continue.
- Enter your password and click “Sign in”.
- You will be asked to register for multi-factor authentication, which includes setting up additional verification methods.
- Choose your preferred contact method.
- Once registration is complete, if the administrator has enabled the creation of app passwords, you will be presented with an app password which you will need to make a note of in order to sign into non-browser-based apps such as Skype for Business, etc.
- After clicking “done”, you will be signed into Office 365.