How-to set up Multi-factor Authentication for Office 365
Note that there are multiple layers to Microsoft’s Multi-factor Authentication (MFA) service. In this post, we are only covering the MFA included with Office 365. Additional Azure MFA features are available, for example, through a subscription to the Enterprise Mobility Suite.
In order to begin setup for multi-factor authentication, go to the Office 365 Admin portal. Find Settings > Services & add-ins on the left, then find Azure multi-factor authentication on the right.
Follow the link to Manage Azure multi-factor authentication.
From this screen, select the user(s) for whom you would like to enable the multi-factor authentication service. Click Enable.
You will be prompted–be sure to pause and take heed! I recommend using the links provided here to verify the deployment process, separately from what I am telling you on this blog–you never know what has changed day-to-day with Azure services. Besides, I take no responsibility for your actions–see my disclaimer.
In a private browsing session, you can either visit the link to https://aka.ms/MFASetup or https://portal.office.com–either will work. Now we can test it out on one of our users. They will be asked to setup the second factor upon sign-in.
Just fill out a mobile phone number, and choose call or text. You can also use push notification using a mobile app. In this example, we’ll just stick to SMS text messaging.
You will notice that authenticating on certain mobile devices presents a peculiar security dilemma: e.g. how does your Apple iPhone mail application prompt you for that second factor? It doesn’t. The workaround Microsoft came up with for this scenario is to generate an “app password,” which is given to you in the next step. Keep this somewhere safe.
How can you tell if this worked? Simple: try to remove & re-add your Email account from a mobile device, such as a tablet or mobile phone. It should reject your old password–you need to supply the app password instead.
To see how the second factor works on a PC, visit a Microsoft Online sign-in page with your Email address and password.
There you have it!
Returning to the Azure multi-factor authentication page in the service portal, you can also now manage certain settings for Enforced users.
Pretty slick.
Again, this is scratching the surface of multi-factor authentication. If you want to configure a full MFA provider and gain access to advanced features (including the ability to provide MFA for on-premises applications), then you will have more work to do (and it will incur additional charges on your Azure subscription)!
For many SMB organizations looking to enable MFA for Office 365, this “included” version will likely be all they need.
Azure (classic) service management portal
If you ever need to get back to the “vanilla” MFA settings area from the classic Azure service management portal, scroll down to select Active Directory from the left menu, then expand your domain.
Now find Manage Access then Manage Multi-Factor Authentication.
Leave a Reply