Microsoft has recently introduced Multi-Factor Authentication (MFA) for Office 365. This feature is now part of Office 365 Midsize Business, Enterprise plans, Academic plans, nonprofit plans and standalone Office 365 plans (including Exchange Online and SharePoint Online) at no additional cost.
MFA has actually been available for Office 365 administrative roles since June 2013, but it is now available to any Office 365 end user. There are also improvements to the capabilities available since last year, such as App Passwords (discussed later) for users so they can authenticate from Office desktop applications such as Outlook, Lync, Word, etc., as these do not yet natively support MFA.
MFA in Windows Azure and Office 365 provides several options for users as well as backup options in the event the user is not able to authenticate using their preferred method. These are:
- MFA apps are available for Windows Phone, Android and iOS devices. Users download the free app and activate it using a code provided during setup. When the user signs-in, a notification is pushed to the app on their mobile device and the user taps to approve or deny the authentication request. Once the app is installed it can operate in 2 different modes:
- Notification: in this mode, the app prevents unauthorized access to accounts and stops fraudulent transactions. This is done using a push notification to the phone or registered device. The user checks the notification and if it is legitimate, he/she selects Verify. Otherwise, the user can chose to Cancel or even Cancel and Report Fraud if it is a fraudulent notification;
- One-Time Password: in this mode, the Windows Azure MFA app is used as software token to generate an OATH passcode. This passcode is then entered along with the username and password to provide the second form of authentication.
To enable MFA for an Office 365 user account using the Office 365 portal, follow these steps:
- Sign-in to the Office 365 Portal;
- Navigate to the Office 365 admin center;
- Select users and groups;
- Next to Set Multi-Factor authentication requirements click Set up:
- Find the user(s) that you wish to enable for MFA. Ensure that the user’s MFA Status is Disabled and place a check in the box next to their name:
- This will bring up two options on the right: Enable and Manage user settings. Click Enable. This will bring up a pop-up that will specify the next steps we need to take. Click enable multi-factor auth.