As we discussed previously, passwords can be guessed or even cracked by determined attackers. One way to help protect account access is to use an additional authentication method other than a password. Multi-Factor Authentication (MFA) or 2-Factor Authentication (2FA) provides this additional authentication method.
The additional method (also called a “factor”) recommended for Office 365 is the use of a software “token” on your smartphone.
There are many options to choose, but for the purposes of this tutorial, we will work with the Microsoft-recommended application called Microsoft Authenticator. Microsoft Authenticator is a smartphone app, compatible with most mobile operating systems. When configured, you will need to use the app to complete any logins.
Enabling Multi-Factor Authentication for your users:
1. Log in to your portal as an administrator user, and navigate to the Admin panel
2. Navigate to the Users->Active Users
3. Click the “Multifactor Authentication” link
4. In the resulting screen, select all your users, then click the “Enforce” button on the right under “quick steps.”
5. On the following prompts, confirm that you want to enable multi-factor authentication.
When users log in the next time, they will be prompted to set up their two-factor authentication applications, following the same steps below:
1. Navigate to “My Account” for your own user account
2. Select “Security & Privacy” from the menu on the left
3. Click “Additional Security Verification” then click “Update your phone numbers used for account security.”
4. Select “Mobile app” from the dropdown menu
5. Select the “Receive Notifications for verification” radio button,
6. Click Setup
7. Follow the instructions for configuring the mobile application on the resulting page, then click next to verify and complete the process.
That's all there is to it! To add the rest of your workforce, they can simply go to https://aka.ms/mfasetup and register their mobile device with their account!
IMPORTANT UPDATE: There is a bug in Exchange Web Services (EWS) that allows for logins without MFA even though it's enabled elsewhere. At this time, we recommend disabling EWS access to your O365 environment.