Multi-factor Authentication for Office 365


The need for good security is a hard reality in today’s modern, cloud-connected world. Passwords, even the most complex and lengthy, just aren’t enough anymore. Fortunately, we have many options to help us these days. Whether it’s RSA tokens, biometrics, text messages or authentication apps, we have plenty of options to choose from. Unfortunately, the setup, cost and difficulty of use can be overwhelming for many and if you use cloud services like Microsoft Office 365, some of these options might not be available. What are you to do? Fortunately, Office 365 has built in Multi-factor authentication (MFA) that is both robust, easy to setup and included with every Office 365 account.


What is Office 365 MFA?

Out of the box, Office 365 only requires a username and password to gain access. While they do require you to have certain complexity levels on the password, there are ways around this and as with all passwords, their effectiveness is limited by us, the humans that often fall pray to scams and give them away willingly. Office 365 MFA adds in another layer of account verification that requires direct user interaction before granting access.  This additional layer of verification can take many forms and you can set up several, for use if one of your authentication methods isn’t available.


How does it work?

After being enrolled for multi-factor authentication, the next time a user signs in, they see a message asking them to set up their second authentication factor. There are several options available which we will list and detail below.

Phone verification:

You can configure two types of phone verification, voice call or text message.

  1. Call my mobile phone. The user receives a phone call that asks them to press the pound key. Once the pound key is pressed, the user is logged in.
  2. Text code to my mobile phone. The user receives a text message containing a six-digit code that they must enter into the portal.
  3. Call my office phone. This is the same as Call my mobile phone, but it enables the user to select a different, pre-configured phone if they do not have their mobile phone with them.

Authenticator App:

Both Microsoft and Google provide authenticator apps that work with Office 365 MFA. When using an authenticator app, the end-user will be prompted to provide a code when attempting to authenticate with the Office 365 portal or an application. When configuring an authenticator app, you have the following options.

  1. Show one-time code in app. The user will be prompted to scan a QR code from within the authenticator app. Once complete, the next time the user attempts to sign in and use this option they will be asked to provide a code generated from within the app.
  2. Notify me through app. Only supported by the Microsoft Authenticator, this will push a notification that the user can respond to without the need to type in a special code.


The above authentication methods work for all applications (desktop and mobile) that support Microsoft’s “Modern” web-based authentication. Most of Microsoft’s own applications now support Modern Authentication, but what about 3rd party apps, older apps or devices that might use end-user credentials (scanning apps, for instance)? For these cases, Microsoft has something called App Passwords.

Once a user has logged in with multi-factor authentication, they will be able to create one or more App Passwords for use in client applications or on devices. An App Password is a 16-character randomly generated password that cannot be viewed after it is created. If you need App Passwords for multiple applications or devices you can create them as needed and you can even name them so that you know what App Password goes with what device or application.



How do I get started with Office 365 MFA?

The initial setup of Office 365 MFA must be done by someone with Global Admin rights and then it can be enabled per-account by someone with both Global Admin or Password Admin rights. After that, the end-user can manage their own Office 365 MFA settings from within their own Security and Privacy settings in the Office 365 portal as shown below. Here the user can select their preferred, default method of MFA as well as configure other options.


Thanks for reading this months Tip of the Month. We hope you’ve found this useful and as always, if you’d like to learn more about Office 365 Multi-Factor Authentication, Abel Solutions is here to help.


This tip written by Abel Solutions IT Services Manager, Jason Casteel.