How to set up MFA for an organization’s Microsoft 365
Microsoft 365
Microsoft 365
In an ever-changing security landscape, organizations need to protect their data from falling into the wrong hands, and one way to secure critical data and files is to bolster authentication settings
Many users need to authenticate multiple times per day to access the applications and data they need to work, but organizations that use Azure Active Directory (Azure AD) can deploy specific authentication controls to restrict non-trusted access to business data within the purview of Microsoft software and services, including Microsoft 365.
If an organization is not already using multifactor authentication (MFA) for logging into a Microsoft Azure environment, then it is time to consider turning it on. MFA improves overall security posture by requiring users to provide a username and password while signing in and then requiring a second authentication method. The second authentication method can be in the form of a phone call or a text message to an approved number, or an app notification on their smartphone. MFA helps protect against takeover attacks, where attackers try to gain access to user accounts via stolen or guessed passwords.
Azure AD MFA and Office 365 MFA are both multifactor authentication offerings from Microsoft, but they have different scopes and uses. Azure AD MFA is a cloud-based identity and access management (IAM) offering that provides multifactor authentication for a variety of cloud and on-premises applications, including Office 365. Azure AD MFA is part of the Azure AD premium offering and provides additional features and capabilities such as conditional access policies and integration with third-party authentication providers.
On the other hand, Office 365 MFA is a feature of Office 365 that provides multifactor authentication for Office 365 services only. This includes Exchange Online, SharePoint Online and OneDrive for Business. Azure AD MFA is a more comprehensive and flexible option for MFA, while Office 365 MFA is specifically designed for Office 365 services and nothing more. Organizations that use Office 365 can enhance their security by using Azure AD MFA as their IAM service.
There are different methods to enable MFA which can be found in several different areas of Microsoft Azure AD:
Administrators can also use Azure Identity Protection, which is built on policies such as conditional access but is purely focused on identity policies. For that reason, it won’t be covered in these steps.
Conditional access cannot be used at the same time as Security Defaults. To use conditional access policies, admins will need to disable Security Defaults. Disabling security features can have serious consequences and should be done with caution and only when it’s entirely necessary. Before disabling any security features, IT administrators should thoroughly understand the risks and evaluate the potential impact on your organization.
To configure MFA, you need to use the M365 Admin Center. Initially, admins should configure MFA to be set by conditional access or Security Defaults.
This method will apply MFA by default across the tenant for all authentication requests and accounts. Once enabled, there are no configuration options, and the following changes are automatically applied by Azure Security Defaults:
To set Security Defaults, follow these steps:
The conditional access approach provides more flexibility within the MFA policy. To enable Microsoft conditional access, follow these steps:
After following these steps, the conditional access policy will be in effect and users will be subject to the defined conditions and controls when accessing applications and resources.
The specific steps may vary based on your Microsoft 365 version and setup, but the general steps should be the same.
Set MFA by user account in one of the following ways.
Single user management
To set MFA for an individual user, follow these steps:
After following these steps, MFA will be enabled for the selected user and they will be prompted to complete the setup process the next time they sign in.
Bulk user management
There is an option to enable MFA for a group of users all at the same time with a bulk update. Start with the same steps as for a single user:
When users log in following the MFA activation, they will be asked to complete the verification process. This can be completed through a text message, phone call or the Microsoft Authenticator app.