Why organizations moving to Office 365 prefer MFA for Security?

Why do we use MFA? 
If by any chance a corporate user’s credentials are compromised, login to his account will become impossible until that user approves it from his phone. Hence Microsoft recommends that it should be used in the corporate world for enhanced security. It safeguards corporate data & applications.

Short Steps (takes a maximum of 1 minute to complete all steps) :
a) Portal.office.com – Users – Active Users – Select the User. Click Manage Multi-Factor Authentication at bottom of the page.
b) Select User – Enable Multi-Factor Authentication – Enabled.
c) Now when the user will try to log in, he will be asked to fill his details e.g., mobile number. Educate him in an email about it to choose options like Authentication Phone (best & simplest) or Mobile App (requires Microsoft Authenticator App in Mobile with working internet) – Finish.
d) When the user logs out & login, if Authentication Phone is configured, he will receive a simple verification code. If Mobile App is configured, he has to choose to Approve or Deny. Selecting Approve will automatically let the user login to his O356 Account.

Practical : 
a) Login to portal.office.com with your Organization’s Credentials.
b) Click Users – Active Users – Select the user on which you want to set up MFA. Click Manage Multi-Factor Authentication at the bottom of the page.

c) Select the user for whom you want to enable Multi-Factor Authentication. At the Right Pane click Enable. You can enable MFA for bulk users at once also.

 

 

 

 

 

 

 

 

 

 

 

 

 

d) Click Enable Multi-Factor Auth to enable it.

Click Done.

 

 

 

 

 














Congratulations 😊 you have enabled Multi-Factor Authentication for a user. The activity from admin end is over. I hope it will be a child’s play next time. Now, end-users need to be educated about completing MFA steps according to their preferences.

Result after enabling the MFA: Share the link http://aka.ms/MFASetup via email to end-users for completing MFA settings according to their own preferences. If they miss your communication, still they would be required to complete MFA as described below:

a) User login to https://outlook.office365.com/owa
b) User will be prompted to provide More Information Required about him.

 

 

 

 

 

 

 

 

 

 

 

 

 

c) He is asked to choose 3 optionsAuthentication Phone, Office App and Mobile App. 

Simplest Option is “Authentication Phone” where the user enters his personal mobile number and receives a code on it to verify his true identity.

 

 

 

 

 

 

 

 

 

 

 

 

A code will be sent to the mobile phone entered. In the last, an App Password is also provided to use with Outlook.

 

 

 

 

 

 

 

 

 

 

 

 

Other Optional steps in Additional Security Verification Page: 

The Office phone can be set up with the help of office Admins.

Mobile App: It uses the Microsoft Authenticator App to approve or provide codes used for MFA. During its configuration, the user also adds Personal Phone number like in Authentication Phone. Its the condition is it will only work if Mobile Internet / Wi-Fy is on in mobile. It may happen the user may remove Microsoft Authenticator App or no internet in mobile, so in that case, Phone Authentication is used as an alternate which sends a text code on mobile using User’s Carrier e.g., Airtel, Vodafone, Jio, etc.)

 

 

 

 

 

 

 

 

 

 

 

 

Configuring Mobile App is very easy: Select Mobile App (shown above) – choose Recieve Notifications for Verification – Click Setup. Simultaneously Download “Microsoft Authenticator” App in mobile from Google Play Store.

 

 

 

 

 

 

 

 

 

 

 

 

 

Open the app in mobile & click 3 vertical dots at the top right of the appAdd Accounts & scan the bar code from the Setup screen. A new Account will be added in the Microsoft Authenticator App.

While setting up a Mobile App, it will also set up Authentication Phone in case the mobile internet is not working.

 

 

 

 

 

 

 

 

 

 

In the end, it will provide the App Password for Outlook Connection. If the user uses Outlook after setting it up, he may get a prompt to enter the password, so he has to enter this App Password. Note it down to enter afterward.

 

 

 

 

 

 

 

 

 

 

 

d) More than 90% of corporate users choose only Authentication Phone option to receive a simple text on mobile. It’s completely the users’ choice. Personally I prefer Mobile App where Microsoft Authenticator sends a popup on the mobile screen to agree to deny.

Final Result: 

After completing the MFA Settings, let’s see what happens when the user logins to O365: 

a) User login to https://outlook.office365.com/owa

 

 

 

 

 

 

 

 

 

 

 

 

 

b) If he had chosen only the Mobile Authentication method which most users do, he will get the text on his mobile as shown below.

 

 

 

 

 

 

 

 

 

 

 

 

 

c) If he had chosen Microsoft Authenticator App option he will get 4 different options:

  • Approve a request on my Microsoft Authenticator App – Gets a popup on mobile: Approve or Deny.
  • Use verification code from my mobile app – Shows a code on mobile in Microsoft Authenticator app.
  • Text +XX XXXXXXXX72 – Sends a text code on mobile using Carrier (no internet required)
  • Call +XX XXXXXXXX72 – Receives a call from Microsoft & IVR will request to press the # key to complete verification.

 

 

 

 

 

 

 

 

 

 

 

 

 

User can select any option from the above and he will be able to login immediately to his account.

Extra Notes: An app password, is a password that is created within the Azure portal that allows the user to bypass the Multi-Factor Authentication. All the Office 2016 client applications support multi-factor authentication through the use of the Active Directory Authentication Library (ADAL). This means that App Passwords are not required for Office 2016 clients.

Note: If you find that this is not the case, make sure your Office 365 subscription is enabled for Active Directory Authentication Library (ADAL). Connect Powershell to O365 & run:

Get-OrganizationConfig | Format-Table name, *OAuth* 
Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true   (it will enable Active Directory Authentication Library (ADAL))

If you enjoyed my post, I bet you’ll have something to say! You always have an option to leave a comment below.

Part 1: Why only 5% Users fully secure their GMail Account? 
Part 2: Your One-Drive data is important. Secure it full-proof.

Thanks,

Ajey Kumar Gupta
(Microsoft Engineer).

Next Post: How To Connect To Exchange Online with MFA enabled user in Powershell?

Subscribe Us

Total Page Visits: 3613 - Today Page Visits: 5

Add a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.