How to set up MFA for an organization's Microsoft 365
To deploy MFA to an entire Microsoft environment, specifically to Microsoft 365, IT administrators will need to set up authentication via Azure AD.
In an ever-changing security landscape, organizations need to protect their data from falling into the wrong hands, and one way to secure critical data and files is to bolster authentication settings.
Many users need to authenticate multiple times per day to access the applications and data they need to work, but organizations that use Azure Active Directory (Azure AD) can deploy specific authentication controls to restrict non-trusted access to business data within the purview of Microsoft software and services, including Microsoft 365.
Why adopt multifactor authentication?
If an organization is not already using multifactor authentication (MFA) for logging into a Microsoft Azure environment, then it is time to consider turning it on. MFA improves overall security posture by requiring users to provide a username and password while signing in and then requiring a second authentication method. The second authentication method can be in the form of a phone call or a text message to an approved number, or an app notification on their smartphone. MFA helps protect against takeover attacks, where attackers try to gain access to user accounts via stolen or guessed passwords.
Azure AD MFA and Office 365 MFA are both multifactor authentication offerings from Microsoft, but they have different scopes and uses. Azure AD MFA is a cloud-based identity and access management (IAM) offering that provides multifactor authentication for a variety of cloud and on-premises applications, including Office 365. Azure AD MFA is part of the Azure AD premium offering and provides additional features and capabilities such as conditional access policies and integration with third-party authentication providers.
On the other hand, Office 365 MFA is a feature of Office 365 that provides multifactor authentication for Office 365 services only. This includes Exchange Online, SharePoint Online and OneDrive for Business. Azure AD MFA is a more comprehensive and flexible option for MFA, while Office 365 MFA is specifically designed for Office 365 services and nothing more. Organizations that use Office 365 can enhance their security by using Azure AD MFA as their IAM service.
Microsoft Azure AD requires two or more of the following:
- Something you have. A trusted device or a hardware key.
- Something you know. A password or passcode.
- Something you are. A biometrics fingerprint or iris scan.
Process to set up Microsoft 365 authentication
There are different methods to enable MFA which can be found in several different areas of Microsoft Azure AD:
- Security defaults. MFA is set at an organization-wide level and is enabled for all users.
- Conditional access policy. Users must engage with MFA based on a set of conditions, such as location, device and risk level --for example, when users are working away from the office network and logging in remotely.
- Per-user MFA. An individual user needs to authenticate via MFA whenever they access cloud-based services.
Administrators can also use Azure Identity Protection, which is built on policies such as conditional access but is purely focused on identity policies. For that reason, it won't be covered in these steps.
Conditional access cannot be used at the same time as Security Defaults. To use conditional access policies, admins will need to disable Security Defaults. Disabling security features can have serious consequences and should be done with caution and only when it's entirely necessary. Before disabling any security features, IT administrators should thoroughly understand the risks and evaluate the potential impact on your organization.
To configure MFA, you need to use the M365 Admin Center. Initially, admins should configure MFA to be set by conditional access or Security Defaults.
Security Defaults MFA
This method will apply MFA by default across the tenant for all authentication requests and accounts. Once enabled, there are no configuration options, and the following changes are automatically applied by Azure Security Defaults:
- All users need to register for MFA within two weeks of their next login.
- Authentication is only via authenticator apps.
- Administrators will always be required to provide MFA.
- Users will be prompted to provide MFA when Microsoft deems it necessary, such as when they sign into a new device or application.
- Logins to Azure Portal, Azure CLI or Azure PowerShell will always prompt for MFA.
- There is no longer support for legacy authentication.
To set Security Defaults, follow these steps:
- Sign in to the Microsoft 365 Admin Center or the Azure AD portal with an account that has the Security Administrator, Conditional Access Administrator or Global Administrator role.
- Navigate to Azure AD, select Properties from the pane and then Manage security defaults (Figure 1).
- Select Enabled in the Security defaults drop-down box (Figure 2).
Conditional access MFA
The conditional access approach provides more flexibility within the MFA policy. To enable Microsoft conditional access, follow these steps:
- Sign in to the Microsoft 365 Admin Center or the Azure AD portal with an account that has the necessary permissions.
- Set the Security defaults to Disabled (not recommended).
- Once the conditional access policies are in place, it's time to enable MFA for the users.
- Within the Azure AD admin portal, click on Conditional access and then New policy (Figure 3).
- The conditional access policy window will open.
- Define the policy settings, including the conditions and controls that will trigger the policy (Figure 4).
- Assign the policy to the desired users and groups.
- Save the policy.
After following these steps, the conditional access policy will be in effect and users will be subject to the defined conditions and controls when accessing applications and resources.
The specific steps may vary based on your Microsoft 365 version and setup, but the general steps should be the same.
Set MFA by user account in one of the following ways.
Single user management
To set MFA for an individual user, follow these steps:
- Sign in to the Microsoft 365 Admin Center with an account that has the necessary permissions. Go to the Users section, select Active users and then select Multi-factor authentication (Figure 5).
- A new window will open with a list of Active users. Click on Security & Privacy and then click on Additional security verification. Then, select the desired user to enable MFA for. Click Enable in the right-hand pane (Figure 6).
- Select the enable multi-factor authentication button.
- Close the notification pop-up that indicates a successful implementation.
After following these steps, MFA will be enabled for the selected user and they will be prompted to complete the setup process the next time they sign in.
Bulk user management
There is an option to enable MFA for a group of users all at the same time with a bulk update. Start with the same steps as for a single user:
- Sign in to the Microsoft 365 Admin Center with an account that has Global Admin permissions.
- Go to the Users section, select Active users and then select Multi-Factor authentication (Figure 5). Admins may need to click on the three-dots menu to see this option.
- A new window will open with a list of Active users. At the top of the window, select the Update in bulk button.
- From here, admins can upload a CSV file with all the user accounts that need MFA enabled.
- Once the file with the user account details is uploaded, select the arrow in the bottom right corner to complete the process.
When users log in following the MFA activation, they will be asked to complete the verification process. This can be completed through a text message, phone call or the Microsoft Authenticator app.