Nov 09 2020

How to Install Multifactor Authentication on Microsoft Office 365

Agencies can get an extra layer of protection by embracing MFA.

Multifactor authentication, which takes two or more credentials to verify a user’s identity, is vital for protecting personal information — and it’s also required for contractors under the National Institute of Standards and Technology’s Special Publication 800-171 to protect unclassified but sensitive data. Here’s how to set up MFA in Microsoft Office 365.

1. Enable Multifactor Authentication for All Users

First, navigate to the Office 365 admin center. Select Users > Active Users and click on Multi-Factor Authentication. Enable MFA for all users by clicking Bulk Update. To turn on MFA with the minimum configuration needed, click on Enable under Quick Steps. On the pop-up window, click on Enable Multi-Factor Authentication. All active users will be required to use MFA the next time they sign in.

2. Review and Modify Your Verification Settings

Default settings are an excellent starting point for MFA, but it’s wise to understand all options. Some authentication methods are more secure than others, and it may be advisable to enable only those that improve the security posture. Under MFA settings, click on Service Settings to modify verification settings. With the increasing prevalence of SIM swap exploits, disabling the text message verification method may increase security.

3. Cut Down on the Cached Token Time

Office 365 allows users to remember their devices for a certain number of days upon sign-in. Under MFA settings, click on Service Settings to modify the number of days. Nonweb applications use hourly refresh tokens. Every time a nonweb token is used, it is checked against the previously set number of days. These apps normally check every 90 days. By decreasing this number, the security of all logins is increased.

4. Inspect the MFA Reports on a Regular Basis

To address any problems, an administrator must verify MFA history. The Microsoft Azure portal and Azure Active Directory offer reports that show and when MFA is used; look in the sign-ins activity report. This allows an administrator to understand when MFA is challenged, what methods are used and any other issues that may occur.

EXPLORE: How does multifactor authentication enhance agency security? 

xxmmxx/Getty Images