You probably know that cybercriminals are using more sophisticated methods to steal your confidential information. They’ve adjusted their hacks from trying to directly access your device or system using phishing attacks, Trojans or ransomware, to attacking web applications like Microsoft Office 365.
For this reason, we recommend that you protect your Office 365 application with Multi-Factor Authentication (MFA).
MFA has been available for Office 365 administrators since June 2013, and now it’s available for all Office 365 users. Microsoft has added MFA for users of Office 365 Midsize Business, Enterprise plans, Academic plans, Nonprofit plans, and standalone Office 365 plans, including Exchange Online and SharePoint Online. If you have a subscription for one of these, administrators can now enable MFA for your users without requiring any additional purchase or subscription.
MFA increases the security when you log into Office 365, or any web-based application. When you log in and enter your password, you’ll be required to acknowledge a phone call, text message, or an app notification on your smartphone. Once you do, you can then sign into Office 365.
If you think you don’t need MFA for your Office 365 account, please read on.
Today we’re prone to multiple sources of intrusion due to the number of connected devices and applications we use. And Office 365 is now available for your desktop, laptops, tablets, and smartphones.
As you know, with Office 365 you can seamlessly share content, data, and confidential information between your devices (and with others). If your Office 365 gets infected with a virus, cybercriminals can essentially access all of your files and get into your network. You need MFA to combat this.
Still not convinced? Ask yourself these questions:
- Do you ever email confidential documents and files to clients, coworkers, and vendors?
- Do you email important, confidential data or files to your Office 365 email address?
If you do, there’s no doubt that you need to use MFA. If you’re like most people, your mobile devices are your primary communication tool. And many use them as productivity tools to access their Office 365 resources. If so, you probably keep a lot of your personal and work information on these devices. Another reason why MFA is a must.
Microsoft’s built-in MFA security system, named Azure Multi-Factor Authenticator, requires you to enter more than your password. You must use a verification process through one of the following:
- Phone Call – A security rep or automated assistant will call your phone to authenticate you are. They will do this via a series of questions and command prompts.
- Text Message – The same is done as with a phone call but in text form.
- Mobile App Notification –Azure MFA will send you command prompts.
- Mobile App Verification Code – You must enter a code through the MFA mobile app.
- 3rd party OAuthtokens – If you process a lot of confidential data, this is probably a good form of MFA for you. It’s much like using an RSA token that remotely generates an access code.
When you sign in to Office 365, you’ll get a message asking for your MFA. Here’s what will happen.
- If you chose “Call my mobile phone” you’ll receive a phone call asking you to press the pound key. Once you do, you’ll be logged in.
- If you chose “Text code to my mobile phone” you’ll receive a text message containing a 6-digit code that you must enter into the portal.
- If you chose “Call my office phone” Just like “Call my mobile phone,” you’ll receive a phone call on your office phone asking you to press the pound key. Once you do, you’ll be logged in.
- If you chose “Notify me through app” You’ll get a notification in a smartphone app that you chose. This option is available for Windows Phones, iPhones, and Android devices.
- If you chose “Show one-time code in app” You’ll receive a notification in the app where you must enter your 6-digit code into the portal.
For more information, the next time you log in to your Office 365 account, click on the “Set up” or “Learn More” links next to the “Set MFA requirements” in the Active Users list, or contact your IT administrator. Or, you can visit the Office 365 Trust Center for more information about MFA.
Info for Administrators
Office 365 provides MFA capabilities to provide an extra layer of security. It’s managed from the Office 365 admin center. Office 365 also offers the following subset of Azure MFA capabilities as a part of the subscription:
- The ability to enable and enforce MFA for end users
- The use of a mobile app (online and one-time password [OTP]) as a second authentication factor
- The use of a phone call as a second authentication factor
- The use of a Short Message Service (SMS) message as a second authentication factor
- Application passwords for non-browser clients (for example, the Microsoft Lync 2013 communications software)
- Default Microsoft greetings during authentication phone calls 1
Note: You must be a global administrator to manage these tasks.
Here’s how administrators can configure MFA for Office 365:
- Locate the users you want to use MFA. To see everyone, you may need to change the Multi-Factor Authentication status Views are based on users’ MFA status:
- Any: Displays all users. (This is the default.)
- Enabled: The user is enrolled in MFA but hasn’t completed the registration process. (They will be asked to complete the process the next time they sign in.)
- Enforced: The user may have completed registration, or not. If they have, they are using MFA. Otherwise, they will be asked to complete the process the next time they sign in.
- Select the checkbox next to the users you want to use MFA.
- Go to Quick Steps. Here you’ll see Enable and Manage user settings. Choose Enable.
- Then choose Enable multi-factor auth.
The next time you log in to your Office 365 account as an administrator, click on the “Set up” or “Learn More” links next to the “Set MFA requirements” in the Active Users list. Or you can find more info here.
We highly recommend that you use MFA for Office 365, or any web application. The criminals are out there always searching for the “door” into your data. You must protect it.