This article is primarily targeted at Czech state institutions and is based on recommendations of the Czech authority. However,...
How to setup multifactor authentication in Office 365Lukas Beran
Multifactor authentication (MFA) in Office 365 is an option how to dramatically improve security of the Office 365 tenant and therefore all users and data.
Thanks to multifactor authentication in Office 365 it is not enough to only know user’s password, but each and every login attempt has to be verified via user’s phone either using a code in SMS, phone call, or a push notification in Microsoft Authenticator application for Windows, Android, or Apple. It’s a security method which requires something that I know (username and password) and also something that I own (verified phone).
This multifactor authentication costs nothing extra because it’s available for all Office 365 users. The only thing we need to do is to allow it or enforce it.
Before we activate the multifactor authentication for our Office 365 tenant, we should allow modern authentication to allow users to use their username and password + phone verification in Office applications instead of application passwords. I described how to setup modern authentication in Office 365 in my previous article.
How to allow multifactor authentication in Office 365
We can allow Office 365 multifactor authentication in MFA portal. In this portal are all users and we can see their MFA status.
When we select a user, we can change his/her MFA status.
In the first step I recommend to set the status to Enabled to allow the users to set their MFA (verify their phone number, set applications) and prepare their applications for the MFA and then after some time switch the status to Enforced. Enforced status enforces MFA, therefore users’ applications will stop syncing content and will immediately require MFA.
Now MFA is ready and users can set their MFA info and prepare their apps.
MFA service settings
Other MFA service settings are available from MFA Service Settings page.
From this page we can set trusted networks/IPs from which we will not require MFA (typically corporate network) because we trust them.
Furthermore we can also set verification methods available for our users (phone call, code in SMS, push notification to mobile app, code in mobile app) or remembering MFA on trusted devices.