Microsoft Ignites a new Focus on Security (Part 7)

By /

If you would like to read the other parts in this article series please go to:

Introduction

In Part 1 of this article series, I discussed the announcement at Ignite 2015 regarding more flexible patching cycles and the introduction of Windows 10 Device Guard. In Part 2, we started to look at more of the new security features, products and services, beginning with Microsoft Advanced Threat Analytics. In Part 3, we looked more closely at the Ignite presentations regarding what Microsoft is doing about security in the cloud and specifically in Office 365. In Part 4, we began talking about identity management in the cloud and particularly how identity management works in Office 365. In Part 5, we showed you how to implement each of the identity models and provided some tips for best practices with whichever identity model you ultimately choose.

Last time, in Part 6, we talked about general concepts regarding multi-factor authentication (MFA) across the industry and in Microsoft’s cloud services and this time in Part 7, we will get into the nitty gritty of enabling and configuring Microsoft’s MFA options. We’ll start with Office 365 MFA and in Part 8, we’ll address the added feature set of Azure Active Directory Premium MFA.

Microsoft MFA options

Office 365 has built-in support for MFA, which has been available for all users since early 2014 (previously it was only available for administrative accounts). The version that comes with Office 365 works only with the Office applications and you configure and manage it using the Office 365 web portal. It is included with your Office 365 subscription at no extra charge.

For more full-featured functionality, organizations can purchase a subscription to Azure Active Directory Premium and use Azure MFA, which gives you more configuration options and advanced reporting, and can be used with additional applications (both on-premises and cloud apps).

If you don’t want to pay for AD Premium, there are a couple of options. You can still use MFA for administrators (only) to log into regular Azure subscriptions to perform admin tasks and manage their Azure services. You won’t get the reports and other premium features, but you will be able to reduce the risk of unauthorized access to admin accounts by requiring the secondary authentication factor.

The same version of Azure MFA that comes with AD Premium is also available as a standalong service. Pricing can be done on a per-user basis or a per-authentication basis.

The good news is that all versions of the Microsoft MFA implementtions for the cloud allow for a lot of flexibility. They all support the use of a phone call, an SMS text message or a mobile app as the secondary authentication factor, and the applications that support MFA also allow for the use of application passwords in those instances where the users are connecting via a client application that doesn’t support MFA (for example, Outlook). This way, you get the extra account protection of MFA without cutting off access for users who may not be able to utilize it.

Azure AD Premium MFA does provide for a number of extra features. Some are nice but not essentials, such as the ability to set custom greetings for the phone calls, but some may be important in your particular environment, such as the ability to control which authentication methods are used. The advanced reporting feature is another one that might make the upgrade worth it for your organization, especially if you fall under regulatory compliance requirements that include the kind of documentation the reports would provide.

In the following sections, we’ll discuss how to configure the different MFA versions.

Configuring Office 365 MFA

In order to protect Office 365 user accounts with MFA, an Office 365 administrator must first go into the Office 365 Admin Center portal and enroll users for multifactor authentication. Go to the Users and Groups page (select from the left hand navigation pane) and click the Set Multi-factor authentication requirements: Set up link. This is the last line in the list of Set Up choices near the top of the page, above the list of user names. Select Active Users.

On the Multi-factor authentication page, there is a link to access the multi-factor auth deployment guide, and it’s a good idea to check this out before you proceed, especially if you have any complexities in your Office 365 deployment or special authentication needs. We will address a few of the most important deployment considerations in the next section of this article.

You can enroll all users for MFA or you can enroll only selected users by checking the checkboxes to the left of the user names, and then doing a bulk update. The right hand column in the list of users will show you the multi-factor authentication status of each user. Those users for whom MFA is enabled will show a status of “Enforced.” Users will still need to go through the registration process in order to use MFA. If they haven’t, the status will show “Enabled” instead of “Enforced.” Users who have not been enrolled for MFA by the administrator will show the status as “Disabled” in this column.

When you enable a user (or users), a dialog box will open where you choose to Enable multi-factor auth.

It is important, if you have users who will be using applications that don’t support MFA, such as Outlook prior to 2013, for you to enable the option for them to use app passwords to sign in. You do this through the Set up link referenced above, this time selecting Service settings instead of Users. Here you go to app passwords and select Allow users to create app passwords to sign into non-browser applications.

The users will be able to create their own passwords to sign into the applications, without using MFA.

Office 365 MFA deployment considerations

Planning your Office 365 MFA deployment requires careful forethought. Microsoft gives you a number of different methods by which users can provide the secondary authentication factor, but some may make more sense than others for your particular organization and users. Remember that whereas Azure AD Premium MFA allows users to authenticate with a physical or virtual smart card or a biometric device, the Office 365 MFA implementation is more limited and is focused on the user’s smart phone as the second factor; the differences are in how the phone is used to authenticate: phone call, SMS text message or mobile app.

The use of a phone call might be undesirable in situations where noise from a ringing phone could be an issue, although of course users could set their phones to vibrate. The problem with this is that they might then miss the call, although they should be expecting it and monitoring the phone. In addition, many users now wear “smart” fitness bands or watches that will vibrate to notify them when a phone call comes in (when paired with their phones), such as the Fitbit Charge or the Microsoft Band.

The use of an SMS message might not be feasible if you have users who have SMS disabled on their phones. Some users who have smart phone plans that don’t include unlimited texting may not appreciate receiving extra SMS messages for which they might be assessed a charge.

A mobile app may be a problem for some users who are at the limit of their phone’s storage capacity and don’t have the room to install another app, or who might be using old phones or phones running operating systems for which there is no app available.

The best thing to do is to survey your users and their habits, equipment and situations to determine which of the authentication methods will work best. It’s not mandatory that all of your users use the same method.

Client-side configuration of MFA

When a user logs into Office 365 after the administrator has enabled the user’s account to use MFA, there will be a message displayed that requires the user to select which type of secondary authentication factor to use.

If the user chooses one of the phone call options (mobile or office phone), the phone number needs to be entered. Then when the user logs on, he/she will receive a phone call on the designated phone and will be instructed to press the pound key (#). Once the key has been pressed, the user will be logged into Office 365.

If the user selects the text messaging option, an SMS message will be sent to the user’s phone to complete the logon. The message will include a six-digit code number that must be entered into the Office 365 logon portal for the user to successfully log on.

If the user selects to be notified through the mobile app, the app needs to be installed on the user’s smart phone. Apps are available for Windows, Android and iOS phones. The user will receive a notification to confirm the login through the app. A user can also select to have a six-digit code shown in the app, similarly to the text messaging option. The code then needs to be entered in the Office 365 logon portal to complete the logon.

Users can change their selections at a later time by going into the Office 365 settings for their user accounts after signing in and being authenticated, and selecting Additional security verification – Add or change your security verification settings.

Summary

As we continue the discussion of using multifactor authentication with Microsoft cloud services, in this installment we discussed the detailed instructions for setting up MFA for Office 365 on both the administrative and client sides. Next time, in Part 8, we will look at how to implement and use the more fully featured version of MFA that comes with Azure AD Premium or can be purchased as a standalone service.

If you would like to read the other parts in this article series please go to:

About The Author

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top