Set Multi-factor Authentication for Microsoft Office 365

* I have updated this post to reflect information since MFA went into General Availability *

Multi-factor authentication is an additional security measure to validate the identity of End Users. A secondary-authentication process gets initiated typically via an automated phone call to a mobile device or via a text message requiring a password. Microsoft also offers applications for smartphones and tablets running Android, iOS or Windows Phone operating systems that IT pros can use to send authentication push notifications. The notifications get sent after users log onto a computing environment.

The new multifactor authentication service works with Microsoft's cloud services, including Windows Azure, Office 365, Windows InTune and Dynamics CRM Online

Windows Azure Multi-Factor Authentication reduces organizational risk and helps enable regulatory compliance by providing an extra layer of authentication, in addition to a user’s account credentials, to secure employee, customer, and partner access. Windows Azure Multi-Factor Authentication can be used for both on-premises and cloud applications.

In this article, I am going to go through the simple steps that are required in order to set this up for your Office 365 Tenancy. For more detailed information please see the following TechNet Article: https://technet.microsoft.com/en-us/library/dn249466.aspx

NOTE: Once the Multi-Factor Authentication subscription is enabled through the Windows Azure portal, customers can manage Multi-Factor Authentication through the Office 365 portal. For customers who are not yet transitioned to Wave 15, administrators and users need to use the Azure portal to enable and manage Multi-Factor Authentication, as Multi-Factor Authentication controls are not enabled in the Office 365 portal for Wave 14 tenants.

To start off, Login to your Office 365 Administration Portal and select ‘users and groups’ from the left hand pane. under the ‘active users’ header if you are a regular admin user you will notice a new option has appeared “Set Multi-Factor Authentication Requirements”. You need to click on ‘Set up’

Next, You will see a list of users that are assigned ‘Global Administrator’ Role. Select the user you wish to active the service for, which will then bring up a task pane on the right hand side where you can then go ahead and click ‘Enable’

Next, You will be presented with a pop-up in order to activate multi factor auth, please note the following message

“Note: App passwords are not available to admin users or users who use federated single sign-on. These users will be able to sign in only with the browser”

Once you have clicked ‘enable multi factor auth’ you will receive the following message stating that has been completed successfully

  When the user(s) that you have activated for multi-factor authentication sign into the Microsoft Online Service (Office 365) they will receive the following message which states that the Administrator has stated it is a requirement for them to setup their account for additional security information:

Go ahead, and click on ‘set it up now’ and you will be presented with a screen to input the extra information required to use this service. In this particular instance I am going to setup my account to use the APP but you can also use your telephone number (work/office) if you wish.

You will now need go ahead and click on ‘configure’ and follow the onscreen instructions (example: shown below)

Once you have completed this task on your Smartphone, it will present you a 6 digit authentication code, and the status on your screen will change to ‘Mobile App has been configured. once you see this, go ahead and click ‘next’

It will then go through a test phase, to ensure that it can contact you on your preferred contact method… in my case using the Smartphone app.

Click on Verify Now, which will then give you a push notification on your phone… click on that… and the application will launch, click on ‘verify’  and then close. The status on your screen (web browser) will now state verification successful! so go ahead and click next to continue.

The next stage, It will ask you to confirm your contact number.

Once you have completed all of the above tasks, sign-out of the administration portal and test it out!

You have the ability to also set the application up so it presents you with a 6 digit number to type in which some organizations might prefer.

If you wish for the user to be forced to re-configure the contact methods again, or delete all existing app passwords generated then you need to click on ‘set up’ within the administration portal, which will give you the list of users again. select the user and click on ‘manage settings’

That’s it you are all done, I think this is a fantastic benefit for organizations who require that extra level of security for their users.

App Passwords

App Passwords are required for non-browser clients, When your account is enabled for multi-factor authentication, you will not be able to use non-browser applications such as Microsoft Outlook, Lync, and Windows PowerShell because these clients do not support multi-factor authentication. In order to continue to use your applications, you must set up App Passwords for your clients.

Please view the following article for further information, and updated content (as this post was created before GA) It is also recommended that you view this for the most up to date and current information: https://technet.microsoft.com/en-us/library/dn270518.aspx

Office 365 Multi-Factor Authentication

Normal
0

false
false
false

EN-GB
X-NONE
X-NONE

MicrosoftInternetExplorer4

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}

Multi-Factor Authentication for Office 365, powered by Windows Azure Multi-Factor Authentication, works exclusively with Office 365 applications at no additional cost and is managed  from the Office 365 portal.

To enable Multi-Factor Authentication for other applications, customers can purchase the Windows Azure Multi-Factor Authentication service, which offers a richest set of capabilities, additional configuration options via the Windows Azure portal, advanced reporting, and support for a range of on-premises and cloud applications.

Office 365 customers that want the additional functionality can also purchase Windows Azure Multi-factor Authentication.

Multi-Factor Authentication for Office 365 offers a subset of Windows Azure Multi-Factor Authentication capabilities as shown in 'features table' below.
Windows Azure Multi-Factor Authentication

Use of Multi-Factor Authentication is free for Windows Azure Active Directory Global Administrators when the corresponding Windows Azure Active Directory has not been provisioned with Multi-Factor Authentication for directory users. When using for free to secure administrator access, advanced configuration options and reporting are not available.

	Per User	Per Authentication
Price	£1.28/month(unlimited authentications)	£1.28 per 10 authentications

Features

	Multi-Factor Authentication for Office 365	Multi-Factor Authentication for Windows Azure Administrators	Windows Azure Multi-Factor Authentication
Included in Windows Azure Subscription		Yes
Included in Office 365 SKUs	Yes
Administrators can Enable/Enforce MFA to end-users	Yes	Yes - (Applies to only users who are Windows Azure Administrators)	Yes
Use Mobile app (online and OTP) as second authentication factor	Yes	Yes	Yes
Use Phone call as second authentication factor	Yes	Yes	Yes
Use SMS as second authentication factor	Yes	Yes	Yes
Application passwords for non-browser clients (e.g. Outlook, Lync)	Yes	Yes	Yes
Default Microsoft greetings during authentication phone calls	Yes	Yes	Yes
Custom greetings during authentication phone calls			Yes
Fraud alert			Yes
MFA SDK			Yes
Security Reports			Yes
MFA for on-premises applications/ MFA Server.			Yes
One-Time Bypass			Yes
Block/Unblock Users			Yes
Customizable caller ID for authentication phone calls			Yes
Event Confirmation			Yes

How does multi-factor authentication billing work?

On a ‘Per User’ basis, we bill for every user that is provisioned with Multi-Factor Authentication, prorated daily. On a ‘Per Authentication’ basis, we bill for every block of 10 authentications (partial blocks will be billed as 10), billed monthly.

Is the use of Multi-Factor Authentication free for administrators?

Use of Multi-Factor Authentication is free for Windows Azure Active Directory Global Administrators when the corresponding Windows Azure Active Directory has not been provisioned with Multi-Factor Authentication for directory users. When using for free to secure administrator access, advanced configuration options and reporting are not available.

Can I switch between ‘per user’ and ‘per authentication’ bill models at any time?

The billing model is selected during resource creation and cannot be changed once the resource is provisioned. It is possible, however, to create a new Multi-Factor Authentication resource to replace the original. Please note that user settings and configuration options cannot be transferred to the new resource.

For further information regarding this service, please visit: https://www.windowsazure.com/en-us/services/multi-factor-authentication/