With Cloud Services such as Office 365 becoming more critical to the operation of many organisations, it is important to protect these services and the data held within them. Multi-Factor Authentication provides an additional layer of security protection when signing into your Office 365 accounts, requiring not just the password for the account, but also a second ‘factor’, commonly a code by text or a call to a trusted phone number.
Prerequisites
Licence Requirements
If you have Office 365 licences, you already have Multi-Factor Authentication (MFA) available for your Office 365 users.
Additional options for MFA are available through the Azure Active Directory Premium Plan 1 licence, including the ability to whitelist based on factors such as locations and the application being accessed.
Software Requirements
In order to honour Multi-Factor Authentication requests, you must ensure an application that utilises Microsoft’s Modern Authentication platform. The supported applications include:
- Web Portal Applications
- Outlook 2013 and later*
- Outlook 2016 for Mac and later
- Mail for Mac OSX 10.14 (Mojave) and later
- Mail for iOS11 and later
- Outlook for Mobile
- Microsoft Teams
- Office 2016 and later
- OneDrive
- Office for Mobile
*Modern Authentication must be enabled in your Office 365 tenant. Outlook 2013 requires a registry key to be applied.
The full list of supported applications can be found on the Microsoft Docs portal.
If the application you are using is not a supported application, you will likely need to use an App Password to connect. The details and steps for these can be found later in the guide.
Enable MFA for Users
The accounts you use with Office 365 are managed through the Azure Active Directory service, which is where Multi-Factor Authentication must be applied. You can access this through the Microsoft 365 Admin Center.
You can apply MFA on a per-user basis with the standard licensing, which the below steps cover. With the Premium licences, you can apply this based on other criteria, such as location or device policies, which is not covered below, but can be found on the Microsoft Docs portal.
You must use an admin account with the Global Administrator role to change these settings.
| |
| |
| |
|
When the user next logs into the Office 365 portal, they will be prompted to set up their Multi-Factor Authentication options. Once set, the MFA status will change to enforced and apply for future logins. Users who do not commonly access through a web browser can be sent the following link to configure their settings: https://aka.ms/MFASetup.
Change MFA Settings
At times, you may wish to prevent users from being able to use certain options for their additional factors or prevent users from using unsupported applications. In these cases, you will need to edit the Service Settings for Multi-Factor authentication.
If there is no requirement to allow unsupported (legacy) applications to connect to Office 365, it is recommended to disable App Passwords.
| |
| |
| |
|
Legacy Applications
From October 13th 2020, Microsoft will be deprecating Basic Authentication for Exchange Online, which App Passwords rely on. This will prevent App Passwords from being accepted. This affects all connections to email services other than SMTP. |
If you use an application to access emails that does not support Microsoft’s Modern Authentication platform, you will not be able to log in with your normal password, as it will not be able to handle the prompt for the additional factor. These applications are referred to as Legacy Applications. In order to access services using these applications, you will need to use an App Password in place of your normal password. App Passwords ignore the Multi-Factor Authentication requirement when signing in, but will only work for the Legacy Applications.
| |
Note: This option will not appear if App Passwords have been disabled in the Service Settings | |
|
Once your App Password is generated, you will only be shown it once to copy out. Once the display has been closed, you will no longer be able to see that App Password and must create a new one if it was not recorded.
You should delete App Passwords that are no longer required.