How-to Setup Multi-Factor Authentication in Office 365

The last couple of weeks I have been working on deploying multi-factor authentication for Microsoft Office 365. The main challenge was not the setup of MFA for Office 365, but with deploying this in our organisation was to inform our users, so we don’t get too many helpdesk tickets once MFA is enabled, and to come up with a good rollout plan.

Setup multi factor authentication office 365

In this article, I will walk you through the setup process for the Multi-Factor Authentication for Office 365 and give you some tips on how to roll it out in your organisation.

Office 365 MFA License

Before we start with the setup of MFA in Office 365, we will take a quick look at the license. Multi-factor authentication is part of the Office 365 business (and Enterprise) plans. With Office 365 MFA you can only protected Office 365 applications.

This means that all Office 365 Online applications are protected and also the OneDrive client and Outlook application. What isn’t protected with MFA is, for example, logging-in on your computer.

Multi-Factor Authentication for Office 365 doesn’t offer all security features that are available in the Azure MFA version. But more than enough for a good additional security layer on your user sign-ins.

The following features are available:

  • Mobile app (Microsoft Authenticator app)
  • Phone call
  • SMS
  • App password for clients that don’t support MFA (Gmail app on Android for example)
  • Remember MFA for trusted devices

One of the features that I really miss compared to the Azure MFA version is the One-Time bypass and the Trusted IP’s.

Setup mfa office 365

You need to be tenant Admin to setup MFA for you Office 365 tenant. I have enable the new admin center layout (top right corner), suggest you do the same if you haven’t done it already.

  1. Open the Admin Center and go to Users > Active Users

  2. Open Multi-factor authentication

    Don’t select any user yet, just open the Multi-factor authentication screen. You will find the button in the toolbar.Office 365 Enable MFA

  3. Open the Service settings

    Before we start enabling MFA for the users, we first go through the service settings. The button to the settings screen doesn’t stand out, but it’s just below the title
    Office 365 Multi factor autentication service settings

  4. Setup MFA Office 365


    A few settings are important here:

    Make sure you check the App password. Otherwise, users can’t authenticate in some applications ( like the default mail app in Android).

    Also, take a look at the remember function. By default, it is set to 14 days.

    Setup MFA Office 365

  5. Enable MFA for Office 365 users

    After you have set the settings to your liking click on save and then on users (just below the title Multi-factor authentication).

    You see the list of your users again. Here you can select single or multiple users to enable MFA.

    At the moment you enable Office 365 MFA for a user it can get the setup screen as soon as the users browse to one of the Office 365 products.

    Enable MFA for users in Office 365

Using the bulk update feature

You can also enable multi-factor authentication with the bulk update feature. This works with a simple excel file containing the usernames and the required status (enable, disable). Just click on the bulk update button and download the sample file

Another option is to user PowerShell, but enabling MFA with PowerShell is more work (to create the script) then simply use the excel update feature. So I didn’t spend any time on creating a script for it.

Planning the roll-out

When you enable MFA for a user it will, at the next login, get a screen that additional security measure is required. So make sure you have informed your user up front with a clear user guide on the steps they have to take.

Some of the fall pits I come across are:

  • Some users didn’t notice they had to select the mobile app in step 1. So they got an SMS text which isn’t really user-friendly
  • Make sure your users select “Receive notification for verification
  • Users with an Apple need to allow push notification for the Microsoft Authenticator app. Not all Apple users know where to find that (resulting in helpdesk calls)
  • If users start the MFA process them self, through https://aka.ms/mfasetup, they can’t create an app password immediately

Create I pilot group with different type of users. I start with 15 users spread across the company to test MFA for 6 weeks. This allowed me to improve the manual and detect any issue that might come up.

If you have a large organisation make sure you roll it out in batches. No matter how good the manual is, it will result in a raise of helpdesk tickets.

Changing user preferences

Users can easily change their preferences or manage the connected mobile phone(s) through there Office 365 account page. Also, the creating of an additional app password can be done here by the user self.

  1. Login at portal.office.com/account
  2. Go to Security & privacy in the menu on the left side
  3. Select / expand Additional security verification

At Update your phone numbers used for account security user can add another mobile phone, remove old phones or change their verification option. (If they selected SMS-text instead of the App, this is the place to change it)

At the Create and manage app passwords page, the user can create an app password. One password can be used for multiple application, but it would be better to create unique app passwords every application that can’t handle MFA.

Conclusion

There is no reason not to multi-factor authentication in Office 365. The setup is done in a couple of minutes and the user impact is minimal. It ads an additional layer of security to a part of your IT environment which is always a good thing.

The video below from Microsoft is really great to inform your users, so even the most in experienced user is able to enable MFA.

You may also like this article about using OneDrive to safely store the users desktop, documents and image folder.

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

7 thoughts on “How-to Setup Multi-Factor Authentication in Office 365”

  1. Our multi factor authentication is set up through our on Prem AD. Somewhere in the process of syncing the mobile numbers and personal email addresses are showing up in O365. Is there a setting somewhere to stop those from syncing?

  2. We use multi-factor authentication with O365 but do not want everyone in the organization to see every users mobile number and/or personal email address. How can we continue using multi-factor authentication but hide that personal information from showing up in exchange, sharepoint, etc?

  3. I really wish MS would allow us to use other apps for OTP’s. I hate having to force people to setup another authentication app if they already use a password manager that does it (like 1Password).

    • Well, that’s not only on Microsoft. I got 3 or 4 OTP’s apps, unfortunately. But I have to say, the push notification from the MSFT app is really nice.

Leave a Comment