Office 365 – Multi Factor Authentication support part 1. – Enable MFA in tenant from admin point of view


As you probably know, Microsoft recently updated their information about MFA in Office 365, so here is overview what it can, cannot do, its support and how to set it up.

Description

What do you need to know is http://technet.microsoft.com/en-us/library/dn383636.aspx , but I will place it here as well:

Multi-Factor Authentication for Office 365 is:

  • powered by Azure Multi-Factor Authentication
  • free for Microsoft Office 365 applications
  • works exclusively for Office 365 applications
  • managed from the Office 365 portal

Multi-Factor Authentication for Office 365 offers the following subset of Azure Multi-Factor Authentication capabilities. Each will be described later on or in the next part:

  • Ability to enable and enforce multi-factor authentication for end users
  • Use of a mobile app (online and one-time password [OTP]) as a second authentication factor
  • Use of a phone call as a second authentication factor
  • Use of an SMS message as a second authentication factor
  • Application passwords for non-browser clients (for example, Microsoft Outlook messaging and collaboration client and Microsoft Lync communications software)
  • Default Microsoft greetings during authentication phone calls

Options for MFA

You can use 2 options.

  • First is full featured Azure MFA, which is paid (I don´t have Azure subscription nor want to pay for it, so I will use second option.
  • Second option is to use it for free for Office 365 application which means to enable it in Office 365 portal

How to enable MFA in Office 365 (Admin point of view)

Prerequisites are obvious. You must have working tenant, licenses, test users and so on. After all prerequisites are fulfilled, use the following:

  • Log on to tenant
  • In Office 365 admin center page  go to Users -> Active Users and Set Up in Set Multi Factor Authentication requirements

MFAenableMFAEnable 2 - bulk

  • Process consists of two steps. In first step you enable MFA for user. This allows user to start registration proces in which user select methods of additional verification. supported clients and browsers.

enable2

  • After MFA is enabled, provide user with a link to manage his MFA options. User can visit the link and manage his profile after successful sign in to Office 365

enable3

  • Enforce option is second step to force user, to use MFA after successful registration. Create APP Passwords for not supported clients such as Outlook as a second authentication factor besides username and password is described in part 2.

enforce2

Enforce option is not enabled for admins for security reasons so do not use enforce options for admins, because it will force admins to use browsers only

enforce

While MFA is enabled, you can force user to re-create App Passwords by deleting old ones, provide contact info again and restore MFA for devices, which were previously suspended from MFA, because those devices were registered and user selected to skip MFA for known devices.

Powershell management

To gather if MFA is enabled for user

Get-MSOLUser -UserPrincipalName <UPN> | select strong*

and output (red without MFA, green with enabled MFA)enabledpshaout

To enable MFA

Enable:

#Create the StrongAuthenticationRequirement object + required settings
$mfa= New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$mfa.RelyingParty = "*"
$omfa = @($mfa)
#Enable MFA for a user
Set-MsolUser -UserPrincipalName alsajid@salonovi.cz -StrongAuthenticationRequirements $omfa

Thanks to: http://365lab.net/2014/02/15/office-365-enable-multi-factor-authentication-with-powershell/

Next part describes MFA´s user point of view.

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s