How to configure multi-factor authentication in Microsoft 365

Case



You need to configure Multi-Factor authentication (MFA) in your Microsoft 365 tenant, for some or all your Microsoft 365 identities.



Solution



To increase the security of your Office 365 infrastructure, it is strongly recommended to configure MFA in all Office 365 user accounts. Multi-factor authentication means your admins and your users must provide more than one way to sign into Microsoft 365 and this is one of the easiest ways to secure your organization.



You have two options. You can either configure the legacy per-user MFA or enable MFA for all M365 identities by configuring the Security Defaults setting.



Option 1: Legacy per-user MFA

You can use this option if you need to enable MFA for individual users only. However bear in mind that it is highly recommended to enable MFA for all users using the security defaults option (see below section of this article).



First follow the steps below as a Microsoft 365 administrator user to enable the legacy per-user MFA setting:



- Log into the M365 admin portal at https://admin.microsoft.com as the global administrator user.

- Navigate to https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?BrandContextID=O365.

- Tick the checkbox next to the user(s) you need to enable MFA for and click on the Enable link on the right.

- Click enable multi-factor auth as shown in the example below.



- You should receive a successful message as shown below. Click close and confirm that the MFA auth status of the user(s) chosen above is now Enabled or Enforced.

Now each of the users who have their MFA setting activated as per the above instructions must follow the instructions below:



- Logoff from any open Microsoft 365 services (Teams, Sharepoint Online, Onedrive, Exchange Online, Outlook).

- Open a browser window and navigate to https://aka.ms/mfasetup.

- When they logon they will be asked to provide additional information. Click Next to continue.

- For starters, choose “Authentication phone” as authentication phone, provide the user’s personal mobile phone and click Next.



- Provide the code you received on your mobile by SMS and click Verify.



- Copy the generated app password and keep it stored in a safe location. This may be needed in some legacy apps and apps which do not support Office 365 MFA, such as Apple mail. Click Done to complete the procedure.



- Tick the don’t show again checkbox and click on Yes, to stay signed in without having to re-authenticate for a pre-defined time interval.

- On the next screen, you can optionally configure a second MFA method, such as a mobile authenticator application (Microsoft Authenticator mobile app). Or if you prefer to keep things simple, you can only use your mobile phone SMS for MFA. In this case simply choose in the drop-down box the “Text code to my authentication phone” as the preferred option and click cancel to proceed.



- You will now be redirected to your profile home page from which you can change your Office 365 password. You can access this page any time in the future by navigating to https://account.activedirectory.windowsazure.com/r/#/profile  in order to change your Office 365 account password.

From this point onwards, any time you sign-in to your Office 365 account, you will have to provide an additional security Code sent via SMS to your mobile phone. You will need to follow the additional steps below each time to login:



- Click on your registered mobile phone to receive an MFA code by SMS.

- Enter the code you received by SMS and click Verify to proceed.

Option 2: Security defaults (recommended)



This option applies to all users and can be used in conjunction with Azure AD Conditional Access Policies. Conditional Access brings identity-driven signals together, to make decisions, and enforce organizational policies. Azure AD Conditional Access is at the heart of the new identity-driven control plane. Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action.



Conceptual Conditional signal plus decision to get enforcement

Some common identity-driven signals for Azure AD Conditional Access are the following:



- User or group membership

- IP Location information

- Device

- Application

- Real-time and calculated risk detection

- Microsoft Defender for Cloud Apps

Conceptual Conditional Access process flow

To configure security defaults, if you have previously turned on per-user MFA, you must turn it off before enabling Security defaults by navigating to the following page as a global admin user: https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?BrandContextID=O365. On the multi-factor authentication page, select each user and set their Multi-Factor auth status to Disabled.



If you have a newly created tenant, chances are that security defaults option is already enabled for your organization by default. If not, you can configure security defaults from the Azure AD admin center by navigating to https://aad.portal.azure.com/ as a global admin user.



Then follow the procedure below.



- In the Azure AD admin center choose Azure Active Directory --> Properties.

- At the bottom of the page, choose Manage Security defaults.



- Choose Yes to enable security defaults or No to disable security defaults, and then choose Save.



If you have any baseline Conditional Access policies, you will be prompted to turn them off before you can use security defaults.



Security defaults apply the following security measures:



- Requiring all users to register for Azure AD Multi-Factor Authentication.

- Requiring administrators to do multi-factor authentication.

- Blocking legacy authentication protocols.

- Requiring users to do multi-factor authentication when necessary.

- Protecting privileged activities like access to the Azure portal.

A more detailed analysis of Azure AD security defaults can be found at: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414.



After the security defaults option are enabled, your end-users will be prompted to provide additional information for enabling MFA in their Microsoft 365 account, as explained in the previous section of this article.



Sources



https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide



https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults


https://stefanos.cloud/kb/how-to-configure-multi-factor-authentication-in-microsoft-365/

Comments

Post a Comment

Popular posts from this blog

Acronis Cyber Protect 15 virtual machine backup not working when using shared mode virtual disks vhds

Image
Case When you apply and run an Acronis Cyber Protect backup against a virtual machine which is part of a guest cluster which makes use of virtual disk shared files of type .vhds (VHD Set), you run across the following error. Activity succeeded with warnings. Activity 'Preparing for backup of virtual machine' succeeded with the following warning 'Windows error: (0xC05CFF0A). The requested operation cannot be performed on the virtual disk as it is currently used in shared mode. Or the error may state something along the lines of: "Failed to open virtual disk file '.vhds'. Unknown format of the virtual disk." The same error as above can occur in virtual machine backup of virtual machines which include a .vdhx shared disk. Solution The above error is by design when you are attempting a virtual machine backup to virtual machine which does not have an Acronis backup agent installed, as per https://kb.acronis.com/content/68573 . According to Acronis, as of July 2
Read more

How to perform hardware health checks in Windows

Image
Case You need to perform an overall hardware health check in a Windows machine, running either a Windows client or a Windows Server operating system. This article provides guidance on the steps to carry out to perform hardware health checks in Windows. Solution Carry out the steps below. - Thoroughly check all Windows event logs (Application, System, Security) for any warnings or errors which may be related to issues you are experiencing with your Windows machine. - Check the device management mmc console by running devmgmt.msc. Ensure that you choose to show all hidden devices from the View menu. If you notice any exclamation marks next to any device, you will need to re-install its driver from the respective manufacturer to ensure that there afterwards no warnings in the device management console. - Check the health of all your disks , either HDD or SSD. Follow instructions in the following KB article for steps to follow to check your disk health: https://stefanos.cloud/kb/how-to-ch
Read more

How to resolve Group Policy error codes 8007071a and 800706ba

Image
Case You are running "Group Policy Update" on an OU inside the Group Policy Management Console in Active Directory but you are receiving RPC errors from your servers or domain-joined workstations, as shown in the example below. After a Group Policy Update, you come across Group Policy error codes 8007071a and 800706ba. This means that the local Windows Firewall is not configured properly to allow Group Policy (GPO) traffic. GPO traffic an be either remote GPO update or remote GP Resultant Set of Policy (RSOP) operations. Solution Option 1 Run gpedit.msc and create a new local group policy object which implements the following policies under Local Computer Policy --> Computer Configuration --> Windows Settings --> Security Settings --> Windows Defender Firewall --> Inbound Rules : The full configuration is shown below. After the above local group policies are configured on each domain server and workstation, you can start applying group policy objects to the dom
Read more