How to enable MFA (Multi-Factor Authentication) for Office 365 administrators



Introduction to Multi-Factor Authentication - 

MFA (Multi-Factor Authentication) is a great way to add a layer of security to your Office 365 Administration accounts. MFA is the addition of a security challenge that happens after your username and password are accepted. A six digit passcode is then sent to your preferred option for final authentication.

This tutorial will step you through the process for enabling your Office 365 administrator account with MFA (Multi-Factor Authentication).

Please see below for a list of all my MFA (Multi-Factor Authentication) tutorials. 
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to enable MFA (Multi-Factor Authentication) for Office 365 administrators - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link
- MFA Support - PowerShell modules and resources for Office 365  - Link

--------------------------------------------------------------------------------------------------------

To enable MFA (Multi-Factor Authentication) for Office 365 Administrators, follow the steps below.

Pre-requisites -
- Follow the guide below to ensure your PC is configured for PowerShell administration with MFA -
- - How to configure your desktop PC for Office 365 Administration - including MFA - Link

--------------------------------------------------------------------------------------------------------

Preparation -
In preparation for this tutorial, I have created a new Global Admin in the tenant. I have set the user name to use the .onmicrosoft.com domain rather than my external domain. This is good practice when creating Office 365 Admin accounts as it means that account will have access to Office 365 that is not dependent on the functionality of your external domain.





---------------------------------------------------------------------------------------------------------

Enabling Multi-Factor Authentication
Once your PC is configured for Office 365 Administration using the guide above, we will proceed to enable MFA (Multi-Factor Authentication) on your Office 365 services and Admin account(s).


--- Enabling MFA on Office 365 Services ---
Run the following cmdlets below to enable MFA for the services.

Enable MFA for Exchange Online,
- connect to your tenant using PowerShell, and run the following command:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Enable MFA for Skype for Business Online,
- connect to your tenant using PowerShell, and run the following command:
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

You should not receive any errors





--- Enabling MFA on the Admin account ---

Log into the Office 365 Admin Portal
Log into the Admin Portal - select - Users - Active Users - More - Setup Azure multi-factor auth.

Change the view to Global Administrators using the drop down arrow


Once the Global Admin filter is applied, select the Admin account that you want MFA enabled on.
Then click 'Enable' to enable MFA










Confirm that you want to enable MFA -








You will now see that MFA has been enabled on that Admin account

Completing the MFA setup-
Log in to the Office 365 Portal as the MFA enabled administrator. Enter the user name and password as normal.

You will then be prompted to setup additional security -
Click - 'Set it up now'












You will then be sent to a verification page showing the mobile phone that is linked to your account (if already configured).
If this is the first time ever logging in, you will be asked to enter the details of your authentication phone. Then select the method of verification.



For this tutorial, I have just chosen texting to an authentication phone. Other options are available.
- How to update your MFA verification options - Link
- How to configure Microsoft Authenticator - Link

After choosing your authentication phone, you will receive a txt or call to your mobile phone with the verification code.
Enter the verification code in the box, and then click 'Verify'.

You will next see a randomly generated password called an 'app password'. This app password can be used for apps and services that do not support MFA. If you or an end user loses this app password, another can be generated in Office 365 account settings. More information can be found here - Link


Confirming that MFA is configured for your admin account
Log into the Admin Portal with your MFA enabled account. At login you will be sent a verification code to your mobile which is needed before you can be fully authenticated.

Depending on when you have created or updated your admin contact info (this usually happens at first log in), you will receive a prompt to enter these details.
During the creation of this tutorial, I received the prompt after initial login.
Enter your authentication phone and authentication email address.







Congratulations - 
Multi-factor Authentication is now enforced for your Admin account.

-----------------------------------------------------------------------------------------------------

*** IMPORTANT ***
If you try to connect to Office 365 via PowerShell currently, you will receive authentication failures.

Follow this tutorial to connect to Office 365 via PowerShell with MFA -
How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link

-----------------------------------------------------------------------------------------------------

As of 1 July 2017, the following PowerShell modules support Multi-Factor Authentication.
- Exchange Online
- SharePoint Online
- Skype for Business Online
- Azure AD v1.0
- Azure AD v2.0
- Azure Resource Manager
- Azure Rights Manager

As of that date the Compliance and Security Centre does not support PowerShell connection with MFA.

-------------------------------------------------------------------------------------------------------

2 comments:

  1. There is one thing that I don't understand. When you enable MFA, you need email clients (Outlook or iOS/Android email client) to get an app password. This app password is "lowercase only - 12 or 16 chars" which is very easy to crack. In addition, there is no method to block wrong passwords logins (unless you have ADFS of course). So, it's just a matter of time. So, my question is: how can be security improved when enabling MFA? what am I missing?

    ReplyDelete
    Replies
    1. Thanks for your comment Massimo.
      Unfortunately I haven't even looked at MFA for end users as yet, I have only focused on MFA for Administrators. I do intend to look at it at a later stage, but no idea when.

      Delete