Multi-factor authentication is built in to Microsoft’s Office 365 and will add an additional level of security to your email communication. It’s also easy to set up and use as we’ll see below.
Office 365 Multi-factor Authentication Contents
Office 365 Multi-factor Authentication Introduction
Multi-factor authentication is usually defined as requiring more than one form of confirmation to access your account. It’s usually something you know (like your password) and something you have (like your phone that can receive a code.)
You can enable MFA on a per-user basis in your organization and it has the added benefit of alerting the user that an unauthorized person is attempting to access their account and data.
Please note that the following screenshots are from the new admin center that Microsoft is slowly rolling out so yours may look differently until the upgrades are complete.
Enabling Multi-factor Authentication
The first step is to log in to your company’s Office 365 administrative portal using an account with admin access. You can do this by going to https://www.office365.com, clicking on “Sign In” in the upper right corner and picking “Work, school or university.” Then use an administrative account to log in.
Click on the icon in the blue field at the upper right and select the grey Admin app.
In the left-hand bar, expand the Users section and select Active Users.
Double click on the user on whom you want to enable multi-factor authentication and pick “Manage Multi-factor Authentication” at the bottom of the user account details.
This will open a new tab with a list of users. Select the checkbox for the user(s) you want to enable and Click Enable.
Go ahead and click Enable Multi-factor Auth. The two initial login options for the user will be explained below.
The User’s First Login with Office 365 Multi-factor Authentication
The next step is to have your user log in to Office 365 through a web interface. The purpose of this is to set up authentication to the user’s phone and Office 365 applications. There are two ways to achieve this and they’re exactly the same except one says Microsoft Azure and one says Office 365.
1. MS Azure MFA Verification
The link in the previous screenshot will allow the user to log in to Microsoft Azure. Send them this link and have them log in using their Office 365 account: https://aka.ms/MFASetup
2. Office 365 MFA Verification
The end user also has the option to log in directly to the Office 365 web interface to perform the initial verification. This may be more familiar to them but it works the same way.
Have the user go to https://www.office365.com, click on “Sign In” at the upper right and select “Work, School or University.”
Completing the MFA Setup
Regardless of which one you chose, complete the steps below:
Then click on the Set It up Now button.
Microsoft will then either need to text you or call you with an automated voice attendant to verify your phone number. Enter your preference and select Contact Me. On the next screen enter your code.
Once it verifies your identity with the code you will see a screen with an application password. This password will only be displayed ONCE so write this down.
Setting up Individual Passwords for Each Application
The password generated in the previous step will work with mail on your phone, Outlook and all the Office 365 apps. While not required, we recommend generating multiple passwords in your account – one for each application on each device. It is more work but if you lose your phone or laptop you will only have to reset the password for that one device instead of for all of your devices and applications. You are currently limited to 40 passwords per user account but each one can be used on multiple applications.
To set up application passwords, log in to the user’s account in the Office 365 interface at https://www.office365.com, click on the Gear icon at the upper right and pick My App Settings/Office 365.
This becomes entirely counter-intuitive: click on “Security & Privacy” in the left-hand menu, click on Additional Security Verification and then click on “Update Your Phone Numbers Used for Account Security.”
Click on App Passwords at the top and click Create:
Type the name of the app or device you want to use (I just used “Phone” below):
Office 365 will then display a password ONE TIME so write it down. If you lose it, you can delete the password and generate another one using the same steps.
You will then see your new password entry in the App Passwords list.
Subsequent User Logins
After multi-factor authentication is set up the end user experience is essentially seamless except for when they log in to the webmail interface at https://www.office365.com. In this case their phone will be texted or called with a six digit authentication code that must be entered into the browser before access is granted. It’s a small price to pay to know when someone is trying to break into their account.
With the full phone/tablet/desktop applications, you just set up the app like you normally would with your account name and the password you generated for that app (or the generic one if you chose to use that) and you won’t be prompted again.
Office 365 Multi-factor Authentication Conclusion
While no password or account is ever truly secure, multi-factor authentication is a great way to add an additional layer of security to your Office 365 accounts. At the very least it will serve as a deterrent for hackers/crackers and an early warning system to your users about malicious activities.