How to enable MFA (Multi-Factor Authentication) for Office 365 administrators



Introduction to Multi-Factor Authentication - 

MFA (Multi-Factor Authentication) is a great way to add a layer of security to your Office 365 Administration accounts. MFA is the addition of a security challenge that happens after your username and password are accepted. A six digit passcode is then sent to your preferred option for final authentication.

This tutorial will step you through the process for enabling your Office 365 administrator account with MFA (Multi-Factor Authentication).

Please see below for a list of all my MFA (Multi-Factor Authentication) tutorials. 
- All my MFA Tutorials on one page - Link
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to configure Server 2012 R2 for Office 365 Administration - including MFA - Link
- How to enable MFA (Multi-Factor Authentication) for Office 365 administrators - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link
- How to protect your Office 365 MFA admin account from cell phone SIM hijacking - Link
- MFA Support - PowerShell modules and resources for Office 365  - Link


--------------------------------------------------------------------------------------------------------

To enable MFA (Multi-Factor Authentication) for Office 365 Administrators, follow the steps below.

Pre-requisites -
- Follow the guide below to ensure your PC is configured for PowerShell administration with MFA -
- - How to configure your desktop PC for Office 365 Administration - including MFA - Link

--------------------------------------------------------------------------------------------------------

Preparation -
In preparation for this tutorial, I have created a new Global Admin in the tenant. I have set the user name to use the .onmicrosoft.com domain rather than my external domain. This is good practice when creating Office 365 Admin accounts as it means that account will have access to Office 365 that is not dependent on the functionality of your external domain.





---------------------------------------------------------------------------------------------------------

Enabling Multi-Factor Authentication
Once your PC is configured for Office 365 Administration using the guide above, we will proceed to enable MFA (Multi-Factor Authentication) on your Office 365 services and Admin account(s).


--- Enabling MFA on Office 365 Services ---
Run the following cmdlets below to enable MFA for the services.

Enable MFA for Exchange Online,
- connect to your tenant using PowerShell, and run the following command:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Enable MFA for Skype for Business Online,
- connect to your tenant using PowerShell, and run the following command:
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

You should not receive any errors





--- Enabling MFA on the Admin account ---

Log into the Office 365 Admin Portal
Log into the Admin Portal - select - Users - Active Users - More - Setup Azure multi-factor auth.

Change the view to Global Administrators using the drop down arrow


Once the Global Admin filter is applied, select the Admin account that you want MFA enabled on.
Then click 'Enable' to enable MFA










Confirm that you want to enable MFA -








You will now see that MFA has been enabled on that Admin account

Completing the MFA setup-
Log in to the Office 365 Portal as the MFA enabled administrator. Enter the user name and password as normal.

You will then be prompted to setup additional security -
Click - 'Set it up now'












You will then be sent to a verification page showing the mobile phone that is linked to your account (if already configured).
If this is the first time ever logging in, you will be asked to enter the details of your authentication phone. Then select the method of verification.



For this tutorial, I have just chosen texting to an authentication phone. Other options are available.
- How to update your MFA verification options - Link
- How to configure Microsoft Authenticator - Link

After choosing your authentication phone, you will receive a txt or call to your mobile phone with the verification code.
Enter the verification code in the box, and then click 'Verify'.

You will next see a randomly generated password called an 'app password'. This app password can be used for apps and services that do not support MFA. If you or an end user loses this app password, another can be generated in Office 365 account settings. More information can be found here - Link


Confirming that MFA is configured for your admin account
Log into the Admin Portal with your MFA enabled account. At login you will be sent a verification code to your mobile which is needed before you can be fully authenticated.

Depending on when you have created or updated your admin contact info (this usually happens at first log in), you will receive a prompt to enter these details.
During the creation of this tutorial, I received the prompt after initial login.
Enter your authentication phone and authentication email address.







Congratulations - 
Multi-factor Authentication is now enforced for your Admin account.

-----------------------------------------------------------------------------------------------------

*** IMPORTANT ***
If you try to connect to Office 365 via PowerShell currently, you will receive authentication failures.

Follow this tutorial to connect to Office 365 via PowerShell with MFA -
How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link

-----------------------------------------------------------------------------------------------------

As of 1 July 2017, the following PowerShell modules support Multi-Factor Authentication.
- Exchange Online
- SharePoint Online
- Skype for Business Online
- Azure AD v1.0
- Azure AD v2.0
- Azure Resource Manager
- Azure Rights Manager

As of that date the Compliance and Security Centre does not support PowerShell connection with MFA.

-------------------------------------------------------------------------------------------------------

Complete List of All My Tutorials

Configure your Administration PC or Server
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to configure Server 2012 R2 for Office 365 Administration - including MFA - Link
- How to configure your desktop PC for Hybrid Exchange - Office 365 - Azure Administration - Link

Connection Scripts
- How to connect to Office 365 and Azure via PowerShell - Link
- How to connect to Hybrid Exchange - Office 365 - Azure AD and Local AD via PowerShell - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link

Office 365 Migrations
How to configure Exchange 2013 - 2016 for Office 365 Hybrid - Link

All Hybrid Administration Tutorials
- How to configure Exchange 2013 - 2016 for Office 365 Hybrid - Link
- How to configure your desktop PC for Hybrid Exchange - Office 365 - Azure Administration - Link
- How to connect to Hybrid Exchange - Office 365 - Azure AD and Local AD via PowerShell - Link
- Hybrid Management - Part 01 - Creating local User mailboxes - Link
- Hybrid Management - Part 02 - Creating local Exchange Shared Mailboxes - Link
- Hybrid Management - Part 03 - Creating local Exchange Room and Equipment Mailboxes - Link
- Hybrid Management - Part 04 - Configure the Hybrid Connection Wizard - Link
- Hybrid Management - Part 05 - Individual mailbox moves via the EAC - Link
- Hybrid Management - Part 06 - Bulk mailbox moves via the EAC - Link
- Hybrid Management - Part 07 - Moving bulk mailboxes with PowerShell - Link
- Hybrid Management - Part 08 - Creating Office 365 User Mailboxes via PowerShell - Link
- Hybrid Management - Part 09 - Creating Office 365 Shared Mailboxes via PowerShell - Link
- Hybrid Management - Part 10 - Creating Office 365 Room and Equipment Mailboxes via PowerShell - Link


All Modern Authentication and MFA (Multi-Factor Authentication) Tutorials
- All my MFA Tutorials on one page - Link
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to configure Server 2012 R2 for Office 365 Administration - including MFA - Link
- How to enable MFA (Multi-Factor Authentication) for Office 365 administrators - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link
- How to protect your Office 365 MFA admin account from cell phone SIM hijacking - Link
- MFA Support - PowerShell modules and resources for Office 365  - Link

Security
- How to protect your Office 365 MFA admin account from cell phone SIM hijacking - Link

Daily Administration and Reports 
How to create a basic document of the Exchange Online environment - Link
How to document the local Exchange Organization for As Built documents and auditing - Link
PowerShell scripts to report on Mailbox permissions in Exchange Online and Exchange On-Prem - Link

Enterprise Management
- How to manage Enterprise environments - Part 1 - Filtering queries - Link
- How to manage Enterprise environments - Part 2 - Creating scripts with a filtered query - Link
- How to manage Enterprise environments - Part 3 - Bulk management using multiple filters - Link

PowerShell
- How to create basic PowerShell scripts - Link
- How to create basic PowerShell scripts with Export-CSV - Link
- How to create basic PowerShell scripts with Import-CSV - Link
- PowerShell modules and resources for Office 365 - Link

Downloads -
All my PowerShell TechNet Downloads - Link

Tips and Tricks -
How to use Chrome browser for concurrent multiple connections to different Office 365 tenancies- Link
General Tips and Tricks for better Office 365 Administration - Link
How to extend your Office 365 Trial - Link
How to get a 180 day trial tenant in Office 365 for testing - Link
PowerShell modules and resources for Office 365 - Link

Troubleshooting -
Hybrid Connection Wizard and Click to Run applications fail to download and run - Link

3 comments:

  1. There is one thing that I don't understand. When you enable MFA, you need email clients (Outlook or iOS/Android email client) to get an app password. This app password is "lowercase only - 12 or 16 chars" which is very easy to crack. In addition, there is no method to block wrong passwords logins (unless you have ADFS of course). So, it's just a matter of time. So, my question is: how can be security improved when enabling MFA? what am I missing?

    ReplyDelete
    Replies
    1. Thanks for your comment Massimo.
      Unfortunately I haven't even looked at MFA for end users as yet, I have only focused on MFA for Administrators. I do intend to look at it at a later stage, but no idea when.

      Delete
  2. Abdulrehman Altaf1 April 2018 at 06:31

    thanks,
    Enable MFA for all the users.
    #Create the StrongAuthenticationRequirement object and insert required settings
    $mf= New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
    $mf.RelyingParty = "*"
    $mfa = @($mf)
    #Enable MFA for a user
    Set-MsolUser -UserPrincipalName aaron.beverly@365lab.net -StrongAuthenticationRequirements $mfa
     
    #Enable MFA for all users (use with CAUTION!)
    Get-MsolUser -All | Set-MsolUser -StrongAuthenticationRequirements $mfa

    ReplyDelete