The many ways to implement multi-factor authentication (MFA) in Microsoft 365
There are five, count it five, separate ways to configure multifactor authentication in Microsoft 365. In this article, we will go over three of them because one of them is no longer supported and one of them uses third-party tools that are out of scope for the MS-500.
Security Defaults
Security defaults are the latest way to enable MFA in Microsoft 365. Security defaults enable MFA across your entire tenant. That includes all of your users. There is no way to limit MFA to a select user or group with security defaults. If you created your tenant after October 22nd, 2019 security defaults are probably already enabled on your tenant.
By enabling security defaults in your Microsoft 365 tenant you're not only requiring MFA but you're also blocking legacy authentication, for example, IMAP, POP3, and basic auth.
Security Defaults are available for all Microsoft 365 tenants regardless of your licensing.
How to enable/disable security defaults
1. Go to Azure Active Directory admin center > Azure Active Directory > Properties > Manage Security Defaults. Click Yes to enable the policy. Click No to disable the policy. Click Save.
Per-user MFA
Per-user MFA gives more control over who is required to use multifactor authentication, but it requires you to enable MFA for every user individually. That means every time you create a new user in Microsoft 365 you need to enable MFA for that user. But it also means you can roll out MFA to a set of users.
Per-user MFA is available for all Microsoft 365 tenants regardless of your licensing.
How to enable per-user MFA
1. Go to Microsoft 365 admin center > Active users > Multi-factor authentication.
2. Click the check box next to a user you want to enable MFA for. Click Enable.
3. Click enable multi-factor auth.
Understanding MFA Status
With per-user MFA you'll notice there are three different statuses. Disabled means the user isn't required to use per-user MFA. Next, enabled means the user is required to set up their MFA at the next login. Enforced means the user has set up the MFA.
How to configure the settings in per-user MFA
One last thing. You can configure some options in the per-user MFA. By going to service settings you'll notice a whole list of options.
- App passwords are a great way to allow legacy apps to continue to connect to Microsoft 365. In short, app passwords will replace the users' passwords so they can still log in to Microsoft 365 using an app that doesn't support Microsoft 365 MFA.
- Trusted IPs are a simple way to bypass MFA when the users are coming from a certain IP address.
- Verification options are the options that a user can set up MFA. For example, if you don't want users to be able to receive text messages simply uncheck Text message to phone.
- Allow users to remember will allow the users to not be prompted every time they need to re-authenticate from a device.
Conditional access policy
The last built-in choice is via conditional access policies. Conditional access policies provide the best security defaults as well as the best per-user MFA. With conditional access policies, you can deploy MFA to a user or a group of users, so you don't have to require MFA for all users as you do with security defaults. Also, you can configure conditional access policies to include all users or all administrators, so you don't need to remember to enable MFA for every new user as you need to do with per-user MFA.
The one downside of conditional access policies is licensing. Conditional access policies are only available for azure SD premium P1 licensed users. Conditional access policies are also available to Microsoft 365 business premium users.
How to enable MFA using conditional access policies
1. log in to Azure Active Directory admin center > All services > Azure AD Conditional Access > New Policy > Create new policy.
2. Enter a name of “Require MFA”
3. Click 0 users or workload identities selected. Click All users.
4. Click No cloud apps, actions, or authentication contexts selected. Click All cloud apps.
5. Click 0 controls selected (under Grant). Click Require multi-factor authentication. Click Select. Click On (under Enable policy). Click Create.
MFA Server
Another possibility to deploy multifactor authentication in Microsoft 365 is to deploy an MFA server. MFA server would be an application that's installed on any Windows 2008 R two or later server that's joined to your domain. In short, you would download the MFA server installation files from Microsoft and install the software on your server. Then with a quick configuration, you can deploy your MFA server. As of July 1st, 2019 Microsoft, no longer offers an MFA server for new deployments. So, we won't be covering the installation or configuration in this guide.
Third-party options
Microsoft has also configured Microsoft 365 so third-party vendors can offer multifactor authentication options. Several vendors sell software or cloud-only options that can tie into Microsoft 365 and provide you with multifactor authentication. Some of those vendors are one login and duo. They won't be covering the deployment of these options in this guide because they are not covered in the MS-500.
User experience
Once MFA is enabled for a user the user will see the following prompts (either in the browser or in Outlook).
1. On the More information required prompt click Next.
2. On Keep your account secure / start by getting the app page download Microsoft Authenticator to your mobile phone and open the app.
3. Once in the app click I agree > Scan a QR code > While using the app.
3. Then go back to the sign-in page and click Next.
3. On Scan the QR code page scan the QR code with the Microsoft authenticator app on your phone. Click Next.
4. Approve the sign-in request on your phone.
5. Once you see the Notification approved message click Next.
6. on the Phone page, enter your cell phone number and click Next.
7. Enter the code texted to you in the space provided. Click Next.
8. Once you see SMS verified. Click Next.
9. On the success page click Done.