Why do we use MFA?
If by any chance a corporate user’s credential are compromised, login to his account will become impossible until that user approves it from his phone. Hence Microsoft recommends that it should be used in the corporate world for enhanced security. It safeguards corporate data & applications.
Short Steps (takes maximum 1 minute to complete all steps) :
a) Portal.office.com – Users – Active Users – Select the User. Click Manage Multi-Factor Authentication at bottom of the page.
b) Select User – Enable Multi-Factor Authentication – Enabled.
c) Now when the user will try to login, he will be asked to fill his details e.g., mobile number. Educate him in an email about it to choose options like Authentication Phone (best & simplest) or Mobile App (requires Microsoft Authenticator App in Mobile with working internet) – Finish.
d) When user logs out & login, if Authentication Phone is configured, he will receive a simple verification code. If Mobile App is configured, he has to choose Approve or Deny. Selecting Approve will automatically let the user login to his O356 Account.
a) Login to portal.office.com with your Organization’s Credentials.
b) Click Users – Active Users – Select the user on which you want to set up MFA. Click Manage Multi-Factor Authentication at the bottom of the page.
c) Select the user for whom you want to enable Multi-Factor Authentication. At the Right Pane click Enable. You can enable MFA for bulk users at once also.
d) Click Enable Multi-Factor Auth to enable it.
Congratulations 😊 you have enabled Multi Factor Authentication for a user. The activity from admin end is over. I hope it will be a child’s play next time. Now end users needs to be educated about completing MFA steps according to their preferences.
Result after enabling the MFA: Share the link http://aka.ms/MFASetup via email to end users for completing MFA settings according to their own preferences. If they miss your communication, still they would be required to complete MFA as described below:
a) User login to https://outlook.office365.com/owa
b) User will be prompted to provide More Information Required about him.
c) He is asked to choose 3 options: Authentication Phone, Office App and Mobile App.
Simplest Option is “Authentication Phone” where user enters his personal mobile number and receives a code on it to verify his true identity.
A code will be sent to the mobile phone entered. In the last an App Password is also provided to use with Outlook.
Other Optional steps in Additional Security Verification Page:
The Office phone can be setup with the help of office Admins.
Mobile App: It uses Microsoft Authenticator App to approve or provide codes used for MFA. During it configuration the user also adds Personal Phone number like in Authentication Phone. It’s condition is it will only work if Mobile Internet / Wi-Fy is on in mobile. It may happen the user may remove Microsoft Authenticator App or no internet in mobile, so in that case Phone Authentication is used as an alternate which sends a text code on mobile using User’s Carrier e.g., Airtel, Vodafone, Jio etc.)
Configuring Mobile App is very easy: Select Mobile App (shown above) – choose Recieve Notifications for Verification – Click Setup. Simultaneously Download “Microsoft Authenticator” App in mobile from Google Play Store.
Open the app in mobile & click 3 vertical dots at top right of the app – Add Accounts & scan the bar code from the Setup screen. A new Account will be added in Microsoft Authenticator App.
While setting up Mobile App, it will also setup Authentication Phone in case mobile internet is not working.
In the end, it will provide the App Password for Outlook Connection. If user uses Outlook after setting it up, he may get a prompt to enter the password, so he has to enter this App Password. Note it down to enter afterwards.
d) More than 90% of corporate users choose only Authentication Phone option to receive simple text on mobile. Its completely the users’s choice. Personally I prefer Mobile App where Microsoft Authenticator sends a popups on mobile screen to agree to deny.
After completing the MFA Settings, lets see what happens when the user logins to O365:
a) User login to https://outlook.office365.com/owa
b) If he had chosen only the Mobile Authentication method which mostly users do, he will get the text on his mobile as shown below.
c) If he had chosen Microsoft Authenticator App option he will get 4 different options:
- Approve a request on my Microsoft Authenticator App – Gets a popup on mobile: Approve or Deny.
- Use a verification code from my mobile app – Shows a code on mobile in Microsoft Authenticator app.
- Text +XX XXXXXXXX72 – Sends a text code on mobile using Carrier (no internet required)
- Call +XX XXXXXXXX72 – Receives a call from Microsoft & IVR will request to press # key to complete verification.
User can select any option from the above and he will be able to login immediately to his account.
Extra Notes: An app password, is a password that is created within the Azure portal that allows the user to bypass the Multi-Factor Authentication. All the Office 2016 client applications support multi-factor authentication through the use of the Active Directory Authentication Library (ADAL). This means that App Passwords are not required for Office 2016 clients.
Note: If you find that this is not the case, make sure your Office 365 subscription is enabled for Active Directory Authentication Library (ADAL). Connect Powershell to O365 & run:
Get-OrganizationConfig | Format-Table name, *OAuth*
Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true (it will enable Active Directory Authentication Library (ADAL))
If you enjoyed my post, I bet you’ll have something to say! You always have an option to leave a comment below.
Part 1: Why only 5% Users fully secure their GMail Account?
Part 2: Your One-Drive data is important. Secure it full-proof.
Ajey Kumar Gupta
Next Post: How To Connect To Exchange Online with MFA enabled user in Powershell?