How-to Setup Multi-Factor Authentication in Office 365 — LazyAdmin (2024)

In the last couple of weeks, I have been working on deploying Office 365 Multi-Factor Authentication. The main challenge was not the setup of MFA in Office 365, but with deploying this in our organization was to inform our users, so we don’t get too many helpdesk tickets once MFA is enabled, and to come up with a good rollout plan.

In this article, I will walk you through the setup process of Office 365 multi-factor authentication and give you some tips on how to roll it out in your organization.

Note

Make sure that you have enabled modern authentication. Especially in older tenants this needs to be enabled manually.

Office 365 MFA License

Before we start with the setup of MFA in Office 365, we will take a quick look at the license. Multi-factor authentication is part of the Microsoft 365 business (and Office 365) plans. With Office 365 MFA you can only protect Office 365 applications.

This means that all Office 365 Online applications are protected and also the OneDrive client and Outlook application. What isn’t protected with MFA is, for example, logging in on your computer.

Multi-Factor Authentication for Office 365 doesn’t offer all the security features that are available in the Azure MFA version. But more than enough for a good additional security layer on your user sign-ins.

The following features are available:

• Mobile app (Microsoft Authenticator app)
• Phone call
• SMS
• App password for clients that don’t support MFA (Gmail app on Android for example)
• Remember MFA for trusted devices

One of the features that I really miss compared to the Azure MFA version is the One-Time bypass and the Trusted IPs.

Setup mfa office 365

Using the bulk update feature

You can also enable multi-factor authentication with the bulk update feature. This works with a simple excel file containing the usernames and the required status (enable, disable). Just click on the bulk update button and download the sample file

Using PowerShell to enable MFA

Another option is to use PowerShell to enable MFA. The advantage of using PowerShell is that you can automate it, so you never forget the enable it for a user.

I have created a small script to enable MFA with PowerShell that you can find here. I also created a script to get the MFA status of your users that you can find in this article.

Enable Location and Number Matching

By default, the MFA request on your phone only asks if you want to improve or deny the request. You can’t see where the request is coming from, which is a security risk.

To mitigate the risk, you can enable number matching and/or add additional context (location and app) to the MFA request.

Read more about those features in this article.

Planning the roll-out

When you enable MFA for a user it will, at the next login, get a screen that additional security measure is required. So make sure you have informed your user upfront with a clear user guide on the steps they have to take.

Some of the fall pits I come across are:

• Some users didn’t notice they had to select the mobile app in step 1. So they got an SMS text which isn’t really user-friendly
• Make sure your users select “Receive notification for verification“
• Users with an Apple need to allow push notification for the Microsoft Authenticator app. Not all Apple users know where to find that (resulting in helpdesk calls)
• If users start the MFA process them self, through https://aka.ms/mfasetup, they can’t create an app password immediately

Create I pilot group with different types of users. I start with 15 users spread across the company to test MFA for 6 weeks. This allowed me to improve the manual and detect any issues that might come up.

If you have a large organization make sure you roll it out in batches. No matter how good the manual is, it will result in a raise in helpdesk tickets.

Changing user preferences

Users can easily change their preferences or manage the connected mobile phone(s) through their Office 365 account page. Also, the creating of an additional app password can be done here by the user self.

1. Login at myaccount.microsoft.com
2. Go to Security Info in the menu on the left side

At the top, you can change the Default sign-in method. The most user-friendly option here is to use the Microsoft Authenticator – Notification.

In the list you can add different authentication methods, which is always a good idea to have in case the app isn’t working or if you have switched phone and the app is not been installed yet.

The user can create an app password. One password can be used for multiple applications, but it is better to create unique app passwords for every application that can’t handle MFA.

Conclusion

There is no reason not to use multi-factor authentication in Office 365. The setup is done in a couple of minutes and the user impact is minimal. It adds an additional layer of security to a part of your IT environment which is always a good thing.

Make sure you take a look at the Best Practice to Secure Office 365 Guide with more than 18 security tips.

The video below from Microsoft is really great to inform your users, so even the most inexperienced user is able to enable MFA.

You may also like this article about using OneDrive to safely store the user’s desktop, documents, and image folder.