Importance of Multi Factor Authtication
Multi-factor authentication is a necessity these days. Scammers are actively trying to gain access to end-user mailboxes for their own malicious activities. Most people think of this attack as hacking, but this couldn’t be further from the truth; often access is gained by providing the actual credentials to the mailbox.
The scammers are obtaining these credentials by purchasing them on the dark web or from previously successful phishing or spear phishing email campaigns (example snapshot below). Nearly all these attempts to access an Office 365 account can be thwarted by enabling multi-factor authentication (MFA)
Configure MFA
1. Log into Office 365 Admin Center (https://admin.microsoft.com)
2. Click on “Users” -> “Active Users”
3. Click on “More” button -> “Multifactor Authentication Setup”
4. Click on tab at top called “Service Settings”
1. Select “Allow users to create app passwords to sign in to non-
browser apps”
2. Select at least the three following
1. Text message to phone
2. Notification through mobile app
3. Verification code from mobile app or hardware token
3. Select “Allow users to remember multi-function authentication
on devices they trust” 1. Usually 60 days (2 months) provides the
best end-user experience
Continue from here to enable MFA on select accounts as Microsoft provides the ability to enable MFA on a single account basis to allow for a staged roll-out. Once MFA is enabled on account, the end user will need to log into the web portal to finish the activation
Enabling MFA on Office 365 accounts
• Click on “users” tab to enable individual users
Select desired user
▪ Fair warning that this portal is slow for some tenants and can take a moment or two to refresh when click on the next arrow
Click on “enable” button
On confirmation pop-up click “enable multi-factor auth”
• Direct user to https://portal.office.com and login with O365 credentials o Click “Next” on the More information required pop-up
• There are two primary ways for the end-user to interact with MFA, through text message or an authenticator app downloaded from the App/Play Store
Setting up Text message authentication
• Choose “Authentication phone”
• Enter mobile number
• Select “Send me a code by text message”
Setting up Authenticator App
• Choose “Mobile App”
• Select option “Receive notification for verification”
• Click “Set up” button
The next page will provide an app password that should be recorded in a temporary location as it will be needed in some of the scenarios below. If the password is lost, a new app password can be generated from the user’s Office 365 “account” page
At this point the user’s account is successfully protected with multi-factor authentication.
Cloud99 