Part One | Part Two | Part Three
Exchange Online Multi-Factor Authentication: We’ve covered the notion of two-factor authentication (2FA) and Exchange Online multi-factor authentication (MFA) before, especially how you MUST enable it for sensitive accounts. I include all IT users, especially those with administrative access, plus any senior management user within the organisation, such as the MD/CEO as their email is sensitive enough to justify Exchange Online Multi-Factor Authentication.
Two-factor authentication (2FA) or multi-factor authentication (MFA) has been available in Office 365 for many years, but you must manually enable it for your users. Microsoft’s Authenticator App for Android, iOS, and Windows Phone means it is simpler than ever to execute MFA by using push notifications for verifying, instead of users typing in six digit codes.
Why use Office 365 & Exchange Online with Azure Multi-Factor Authentication?
The geo-distributed, high availability design of Azure AD means that you can rely on it for your most critical business needs. With the prevalence of smart phones, tablets, laptops, and PCs, people have far too many options on how they are going to connect, and stay connected, at any time. Office 365 Multi-Factor Authentication and Exchange Online Multi-Factor Authentication through Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always correctly authenticated.
People can securely access their accounts and applications from anywhere, which means that they can get more work done and serve customers better.
- Two-step verification, which requires more than one method of authentication.This means a critical second layer of security is added when a user signs-in. It works by requiring two or more of the following:
Something you know, a password for example
Something you have, typically a trusted device that is not easily duplicated, like a phone
Something you are, such as biometrics
- It’s easy to use with a range of verification methods including text message, phone call, mobile app or email to alternate account.
This means, due to the extra protection that comes with Azure Multi-Factor Authentication, users are able to manage their own devices and authenticate in the way they prefer based upon where they are.
- Azure Multi-Factor Authentication is simple to set up and use. Once enabled, in many instances it can be set up with just a few simple clicks by the user.
This means the burden of implementation is reduced and users are keen to adopt.
- Verification with Azure Multi-Factor Authentication is scalable, using the power of the cloud whilst also optionally integrating with your on-premises Active Directory (AD) and custom applications.
This means that protection is can be extended to your high-volume, mission-critical services.
- Azure Multi-Factor Authentication provides strong authentication using the highest possible industry standards.
This means you are not just secure, but also compliant. You can monitor application usage and protect your business from advanced threats with security reporting and monitoring.
- With a guaranteed 99.9% Service Level Agreement (SLA) for availability, Azure Multi-Factor Authentication is reliable.
This means you will always be able to authenticate. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification.
I use Azure MFA with Microsoft ’s OneDrive for Business, SharePoint Online, Office 2016 desktop Apps (I’m not confessing the use of Outlook 2016), mobile Office apps and Skype for Business all on Mac, Windows 8, Windows 10 and iOS and found no issues. However, there are services that need an App Password or are incompatible, so make sure you review all the software and services in use in your organisation. I’ll cover the use of App Passwords in Part 3 of 3.
It is important to note that previously administrative accounts were unable to use PowerShell with Azure multi-factor authentication enforced for the account. Microsoft recommended creating a special account for each admin user to access PowerShell for Office 365 and Exchange Online and that these accounts should be disabled when not in use. Which is clearly ridiculous, so earlier this year they fixed it with the Exchange Online Remote PowerShell Module! You will need to ensure that Modern Authentication is enabled in your Exchange Online tenant before you can use the module.
You must enable Modern Authentication to support Outlook 2016 and Outlook 2013 clients.
Enable modern authentication in Exchange Online
Modern authentication in Office 365 enables authentication features like multi-factor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. Modern authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0. By default, modern authentication is NOT enabled in Exchange Online, however, you can enable it:
- Connect to Exchange Online PowerShell:
To enable Windows PowerShell to run signed scripts, run the following command in an elevated Windows PowerShell window (a Windows PowerShell window you open by selecting Run as administrator):
You need to configure this setting only once on your computer, not every time you connect.
- Run the following command:
$UserCredential = Get-Credential
In the Windows PowerShell Credential Request dialog box, type your Office 365 user name and password, and then click OK.
- Run the following command.
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
- Run the following command:
- Run the following command in Exchange Online PowerShell:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
- To verify that the change was successful, run the following command in Exchange Online PowerShell:
Get-OrganizationConfig | Format-Table -Auto Name,OAuth*
When you enable modern authentication in Exchange Online, Microsoft recommend that you also enable it in Skype for Business Online. For instructions, see SkypeModernAuth. Modern authentication is enabled by default in SharePoint Online.
Office 365 & Exchange Online Multi-Factor Authentication in the Admin Portal
Log in to the Office 365 admin portal here: https://portal.office.com using an administrator account.
1. From the menu on the left of the portal, expand Users and click Active users:
2. In the list of users, click the user you want to enable MFA. Only licensed users can use Office 365 Multi-Factor Authentication. On the user’s pane, click Manage multi-factor authentication under More settings:
3. From the multi-factor authentication display, select the user account to enable, and then click Enable under quick steps on the right:
4. In the About enabling multi-factor auth dialog box, click enable multi-factor authentication:
5. You should see a dialogue with Enabling multi-factor Authentication:
6. Click close when you see Updates successful:
The Multi-Factor Authentication Status column for the user will change to Enabled. Sign out from the admin portal and close the browser window.
Enrol Accounts for Office 365 & Exchange Online Multi-Factor Authentication
To enrol your user account for Office 365 Online Multi-Factor Authentication, continue to Part Two.