Office 365 MFA Setup

Password protection for an Office 365 account using a linked mobile device to prevent unathorized login.

Relevance

Last Review: February 4, 2021

Product(s): Office 365, Azure

Author(s): Kyle Vang

Delta

A cyberist created this article using the patented Delta Method by modernizing a typical approach.

Reference

Summary

Multi-Factor Authentication (MFA) provides password protection for Office 365 user accounts.

By linking an O365 account to a mobile device, attempted unauthorized logins can be denied.

Enabling MFA is the top cybersecurity recommendation by Homeland Security to protect yourself, staff, and customers from cybercrime.

MFA is no additional cost with an Office 365 subscription and requires little or no inconvenience for login.

Failure to implement MFA may be considered willful neglect with potential reputation damage, business loss, fines, and civil and criminal penalties.

Requirements

  • Global Admin access is required to configure MFA for users.
  • Users must have at minimum an Office 365 subscription and a mobile device for authentication.
  • Office 365 mobile apps are recommended on smartphones for security compliance and best experience.
  • Third-party and legacy or basic authentication apps will require App Passwords and may be blocked or unsupported after 10/2020.
  • It takes approximately 30 minutes for a Global Admin to configure MFA and 15 minutes or less per user to setup and verify MFA.
  • Conditional access for trusted IPs may be configured so users are not prompted for MFA within your facilities.
  • Announcement with instructions, demonstration, and notice of MFA enablement date is critical.
  • Using the automated phone call for MFA preferences is recommended because you simply hit the pound key. Secondary recommendation is the Authenticator app when phone or messaging services are limited.

Admin MFA Setup for Users

  1. Log into portal.office.com as a global admin.
  2. Click Users > Active Users > More > Multifactor Authentication Setup.
  3. Select desired users and Enforced.
  4. Log into portal.office.com as a global admin.
  5. Click Azure Active Directory > Conditional Access > Named Locations > Configure MFA trusted IPs.
  6. For most scenarios accept the defaults, enter one or more subnets like 10.0.0.1/24 in Skip multi-factor authentication for requests from the following IP address subnets and Save.

User MFA Instructions

  1. Log into portal.office.com.
  2. Click Set it up now when prompted to further verify your account.
  3. Set your preferred option to Call my authentication phone.
  4. Follow the prompts and click next for verification.
  5. For legacy or third-party apps you can setup an App Password as described in the next section.
  6. Once you complete these instructions, you'll be prompted for verification the next time you log into Office 365.

App Password Setup

  1. Log into portal.office.com.
  2. Click Manage security & privacy > Additional security verification > Create and manage app passwords.
  3. Click Create and name the App Password for usage like iPhone Mail or Outlook Home.
  4. Make note of the App Password and use it instead of your Office 365 password for the desired application like Skype for Business. Repeat the step above if you need an App Password for other applications.
  5. App passwords can be deleted and recreated if forgotten at https://account.activedirectory.windowsazure.com/AppPasswords.aspxportal.office.com
  6. To change MFA preferences like a new mobile number go to https://aka.ms/mfasetup

Follow-up

Test with each user to verify MFA is working for both smartphone and desktop apps. InPrivate Browsing may be used to test multi-factor authentication within a trusted IP address range. Common problems are frequent requests for authentication from legacy apps which are unsupported by Microsoft and typos for trusted IP addresses or App Passwords.