Thursday 30 July 2015

How to Configure Office 365 Multi Factor Authentication

Multi Factor Authentication can be attractive to businesses looking to migrate to Office 365, this allows administrators to enforce two methods of authentication on to users. This makes it harder for black hat hackers to compromise corporate data, this is mainly because stolen (or cracked passwords) will not be sufficient to gain access to the Office 365 services. In this example I am going to configure basic MFA with Office 365, there is more advanced features that can be utilized which I will explore in further posts.

Sign in to Office 365 as a Global Administrator, click Active Users and then click Set Up under Set Multi-Factor Authentication Requirements.

Select Users and then click Enable under the Quick Steps pane.

You will be asked to confirm if you want to enable Multi Factor Authentication, click Enable MFA to enable it.

Under the Service Settings tab, ensure Allow users to create app passwords to sign in to non-browser apps this will allow users to create app passwords to ensure they can still use full-functioning clients such as Outlook etc. These app passwords replace the standard passwords in Outlook profiles.

Now if you try to login to Office 365 as a user you will be prompted to complete the setup of MFA. Click Set it up now to continue.

Probably one of the easiest way to integrate MFA, in its most basic fashion with Office 365 is to link user account to company issued mobile phones. Select Authentication Phone and enter your Country Code and Mobile/Cell phone number. I have also selected Send me a code by text message. Click Contact Me.

Within seconds you will receive a 6 digit code from Microsoft.

The screen will automatically refresh allowing you to enter the 6 digit code, once you have done this click Verify.

Take note of this default app password and click Finished.

Now when you try to login as a user you will be prompted with a secondary authentication box for you to populate with the 6 digit code Microsoft will send every time you try to login. As I am connecting via a domain-joined computer ADFS and SSO has passed-through my standard network credentials leaving only the secondary authentication. If you were connecting from an internet computer you would have to enter both sets of credentials.

Another code is sent to my mobile phone to authenticate this login request.

The next step is to create app passwords to ensure users can use full-Outlook etc. Once logged into to Office 365 click on the Settings cog and select Office 365 Settings. You will be faced with this page, Click Additional Security Verification. 

 Click on the App Passwords tab.

Click Create and name the new app password something descriptive.

Office 365 will automatically generate a new app password for you. Select Copy password to clipboard and then Close.

It is within the Outlook profile you should populate with the newly create app password.