Multi-factor authentication in Office 365

 In Blog

Multi-factor authentication is a necessity these days.  As mentioned in our previous blog post (LINK), scammers are actively trying to gain access to end-user mailboxes for their own malicious activities. Most people think of this attack as hacking, but this couldn’t be further from the truth; often access is gained by providing the actual credentials to the mailbox.

The scammers are obtaining these credentials by purchasing them on the dark web or from previously successful phishing or spear phishing email campaigns (example snapshot below). Nearly all these attempts to access an Office 365 account can be thwarted by enabling multi-factor authentication (MFA). Not only is MFA the next step in securing an Office 365 account, but it is becoming more common among cloud services to have this enabled by default (banking websites for example).

Office 365 spear phishing example

Below we will go through the steps of configuring MFA on your Office 365 tenant, enabling MFA on desired accounts, and then reviewing how some applications interact with MFA.

Configure MFA

  1. Log into Office 365 Admin Center (https://admin.microsoft.com)
  2. Click on “Users” -> “Active Users
  3. Click on “More” button -> “Multifactor Authentication Setup
  4. Click on tab at top called “Service Settings
    1. Select “Allow users to crate app passwords to sign in to non-browser apps
    2. Select at least the three following
      1. Text message to phone
      2. Notification through mobile app
      3. Verification code from mobile app or hardware token
    3. Select “Allow users to remember multi-function authentication on devices they trust
      1. Usually 60 days (2 months) provides the best end-user experience

Multi-factor authentication settings

Continue from here to enable MFA on select accounts as Microsoft provides the ability to enable MFA on a single account basis to allow for a staged roll-out. Once MFA is enabled on account, the end user will need to log into the web portal to finish the activation

Enabling MFA on Office 365 accounts

  • If you are not continuing from the previous section, follow the above steps (1-3) to access Multi-Factor Authentication portal
  • Click on “users” tab to enable individual users
    • Select desired user
      • Fair warning that this portal is slow for some tenants and can take a moment or two to refresh when click on the next arrow
    • Click on “enable” button
    • On confirmation pop-up click “enable multi-factor auth

Enable multi-factor authentication dialog

  • Direct user to https://portal.office.com and login with O365 credentials
    • Click “Next” on the More information required pop-up

Office 365 MFA enable dialog

  • There are two primary ways for the end-user to interact with MFA, through text message or an authenticator app downloaded from the App/Play Store

Setting up Text message authentication

  • Choose “Authentication phone
  • Enter mobile number
  • Select “Send me a code by text message
  • Click NextSpecifying the contact method for MFA
  • Enter code sent to phone & click “Verify

Entering the verification code to finalize MFA setup

Setting up Authenticator App

  • Choose “Mobile App
  • Select option “Receive notification for verification”
  • Click “Set up” button

Contact methods for MFA using the authenticator app

  • Download the app from the App/Play store and scan the code provided on the screen

QR code for linking the authenticator app

  • The next page will provide an app password that should be recorded in a temporary location as it will be needed in some of the scenarios below. If the password is lost, a new app password can be generated from the user’s Office 365 “account” page

Original app password created when setting up MFA

At this point the user’s account is successfully protected with multi-factor authentication. The next steps are to reconfigure the authentication settings in the required software & hardware devices. Below are just a few examples on how to do this.

Known applications that require an app password

Outlook for Windows

  • Click on “start” and type “Credential Manager” -> Click app to open
  • Select “Windows Credentials” -> delete all stored passwords for Office/Outlook
  • Restart computer
  • Launch Outlook, it will ask for credentials in one of two different styles
    • Web Portal Pop-up (Modern authentication)
      • Fill in email address & password
      • Follow MFA prompts

Modern authentication prompt for Outlook

    • Windows Security pop-up
      • Fill in email address
      • Use previously provided App Password in the “password” field.

Windows security prompt for Outlook

Outlook for Mac

  • After Outlook is open, click on “Outlook” in the menu bar -> select “Preferences”
  • Click on “Account” -> Select Office 365 account -> click on “-“ to delete account
  • Click on “+” to add account -> type in email address -> click “Continue” button
  • Follow on-screen prompts to authenticate your account with MFA

Outlook & built-in mail for Mobile

  • Outlook for mobile devices (iOS & Android) is fully compatible with modern authentication and you should be able to follow the on-screen prompts to add the account.
    • Special note is that if email is already configured on device, you can wait for MFA to kick in, but we recommend removing the account and add it as soon as MFA has been configured.
  • The built-in mail apps for the major manufacturers (Apple, Samsung, LG) are also compatible with modern authentication

PowerShell for O365 Administration

For MFA & PowerShell to work together the Exchange Online PowerShell Module must first be downloaded from the Exchange admin center with Internet Explorer (will not work with Chrome or Firefox)

  • Log into Office 365 Admin Center (https://admin.microsoft.com)
  • Expand “Admin Centers” in left blade -> click “Exchange
  • Click on “Hybrid” -> click on second “Configure” button to install the Exchange Online Remote PowerShell Module

Installing the Exchange Online PowerShell Module

  • Follow the prompts to install the module
  • Launch the “Microsoft Exchange Online PowerShell Module” from your start menu and use the following command to connect
    • Connect-EXOPSSession -UserPrincipalName GlobalAdminUPN
    • Fill out the pop-up form

Microsoft Exchange Online Remote PowerShell login prompts

    • You will now be able to run you standard Office 365 PowerShell commands

Wrap-up

In short, multi-factor authentication (MFA) is a necessity in today’s workplace.  Even if a bad actor somehow receives active credentials, MFA allows a user to prevent them from accessing sensitive information.  If you want to read more about Office 365 security, take a look at our most recent post about email forwarding here (LINK).

Comments
pingbacks / trackbacks

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Contact Us

Have a question? Want more information? Let us know!

Not readable? Change text. captcha txt