Implementing and managing Multi-Factor Authentication (MFA)

In the modern workplace, users are increasingly accessing their data from almost anywhere in the world and from multiple devices. This increases the burden on Microsoft 365 administrators who need to support this modern and more agile way of working, while also ensuring that users, resources, and data within Microsoft 365 are secure and protected. By default, Microsoft 365 user accounts authenticate to Azure AD with only a user ID and password. In the modern security landscape, this simply does not provide enough protection from threats such as phishing attacks.

As we briefly highlighted in Chapter 1, Planning for Hybrid Identity, Multi-Factor Authentication (MFA) within Microsoft 365 can help protect your organization by providing two-step verification to Microsoft services via approved authentication methods. As a quick reminder, these authentication methods can be based upon the following aspects:

• Something you know, such as your password
• Something you own, such as your mobile phone or an Oauth token
• Something you are, such as biometric identification (fingerprint or facial recognition)

So, as an example of how this may work, when a user logs on with their user ID and password, before they can gain access to Microsoft 365, they may also need to enter a six-digit code that has been sent to their smart phone by text message or, alternatively, a code that has been provided to them from the Microsoft Authenticator app. If all the required authentication challenges are met, then the user is granted access.

Enabling MFA

MFA can be enabled from the Microsoft 365 admin center as follows:

1. Open Services & add-ins from the Settings menu:
   

   Figure 2.31 – Services & add-ins

2. Select Azure multi-factor authentication:
   

   Figure 2.32 – Azure multi-factor authentication

3. Now, select Manage multi-factor authentication:
   

   Figure 2.33 – Azure multi-factor authentication

4. On the multi-factor authentication page, select the users you wish to use MFA and click Enable:
   

   Figure 2.34 – Managing multi-factor authentication

   You can also choose the update in bulk option if you wish to enable MFA for several users. You can download a sample CSV file from here, which you can then upload to enable multiple users.

5. You can also enable MFA for your users via PowerShell. The following example shows the process to enable a single user via PowerShell.

   First, connect to MsolService via PowerShell:

   $UserCredential = Get-Credential

   Import-Module MSOnline

   Connect-MsolService –Credential $UserCredential

   Next, create a variable, as follows:

   $mfa = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement

   $mfa.RelyingParty = "*"

   Choose between Enabled or Enforced for your desired MFA state, as follows:

   $mfa.State = "Enabled"

   Then, to enable MFA for a single user, enter the following command:

   Set-MsolUser -UserPrincipalName <UserPrincipalName> -StrongAuthenticationRequirements $mfa

   If you wish to enable MFA for all your users via PowerShell, you can use the following command:

   Get-MsolUser –All | Foreach{ Set-MsolUser -UserPrincipalName $_.UserPrincipalName -StrongAuthenticationRequirements $mfa}

Service settings

Administrators can also configure some additional service settings, which include the following:

• Allow/disallow users to create App passwords
• Set a list of trusted IP addresses or IP ranges that may skip the MFA process
• Choose the available verification options, which include the following:

  a. Call to phone

  b. Text message to phone

  c. Notification through mobile app

  d. Verification code from mobile app

  e. OAuth hardware token

Next, let's look at secondary authentication methods.

Configuring the secondary authentication method

Once a user has been enabled for MFA, they will be prompted to configure their secondary authentication method the next time they log in with their Microsoft 365 user ID and password.

This is what the user will see when they log in with their credentials once MFA is enabled:

1. More information is required from the user:
   

   Figure 2.35 – More information required

2. The next stage of the process enables the user to select from the available methods that have been defined:
   

   Figure 2.36 – Keep your account secure

3. The user may follow this process through until completion. When finished, they should see the following:

Figure 2.37 – Success!

MFA is now set up for their account, and they will be prompted for it when logging into apps on their Windows, Mac, and mobile devices.

Important note

If you have Azure AD Premium P1, you can configure MFA for Microsoft 365 via Conditional Access policies. This will be covered in the next chapter. In addition, with Azure AD Premium P2, you can configure Azure AD Identity Protection to trigger MFA verification based on user sign-in risk detections.

Please remember that if enabling both SSPR and MFA in your Microsoft 365 environment, you are also able to use the combined registration portal, which we described earlier in this chapter.