How to enable Multi-Factor Authentication in Office 365 and login using SMS or the Authenticator Mobile App
Improve security by enabling multi factor authentication on your Office 365 tenant. Tired of overly complicated two factor authentication systems? Office 365 Multi-Factor Authentication is for you! Lets take a look at the steps involved in enabling and configuring a trial user in our demo lab. Our lab is configured as cloud only but will work equally well with AD Connect too. In our lab we will be using the Multi Factor Authentication mobile app but it also support SMS authentication, in fact users can easily switch between the two if required.
Lets break the setup down into the following steps
- Install the Multi-Factor Authenticator App
- Enable Multi-Factor Authentication for specific users
- The User Setup Process
- Customising Authentication Method
- Application Passwords
Install the Multi-Factor Authenticator App
Users will need to install the Azure Authenticator app onto their mobile phone.
When the user first logs on they will need to scan a QR code to add 365 to the app.
Pressing SCAN QR CODE for the first time will prompt to install a barcode scanner app so press yes here to continue.
Enable Multi-Factor Authentication for specific users
Log into the portal as a company administrator and browse to Settings, Apps and select Azure multi-factor authentication.
Click Manage Azure multi-factor authentication to begin the setup.
One thing I love about multi-factor authentication in 365 is that it can be enabled for individual users which is great for testing. Select all of your users or as in our case select a trial user and press Enable.
Confirm that you wish to enable multi-factor authentication.
The user is now enabled for multi-factor authentication but its a good idea to Enforce the settings because this will ensure the user has to log in using their password and mobile app or SMS to successfully log in and all applications will require an app password to work correctly.
Confirm that you want to enforce multi-factor authentication.
Congratulations you have enabled multi-factor authentication for one user in your Office 365 tenant. Lets see what happens when a user logs in after you enable the settings.
The User Setup Process
The user will login as usual the first time they log in after you enable multi-factor authentication.
The user will be required to run through the setup procedure before they can log on.
Users will be required to select a preferred authentication method. Here we select Mobile app but users can also select to authentication with their phone using SMS. Unfortunately there is no way to force users to use one or the other.
The user will now need to scan this QR code using the mobile app which will configure the app to display authentication codes which update every 30 seconds.
Once configured the app will how a verification code for this account which will be used every time the user logs onto the web portal.
Once the user clicks finish the mobile app configuration will be checked and verified.
Once the user has confirmed their preferred authentication method they will be required to verify their mobile phone number. Users will enter their number and a verification code will be sent to it in an SMS message which they must enter to verify the number.
Once the user has verified their mobile phone they will be given an App password. App passwords are passwords that users must use with applications like Outlook, OneDrive and Skype for Business. Their standard logon password will no longer work so they must use this app password to authenticate with these applications.
If a user clicks finished without noting the password they will have to generate a new one because once they are generated you will never see it again. If you forget it then you have to generate a new one.
Ok so the user has run through the initial setup process so lets take a look at what happens when they next logon.
A user will enter their standard password to start with.
They will be prompted to enter the verification code displayed within the mobile app and the user will login successfully. If for some reason they haven’t setup the app properly or if its not working then users can use to use a different verification method and select to receive a code via SMS message.
Customising Authentication Method
If a user decides to change their authentication method they can and its as easy as choosing the option from a drop down menu. When the user has logged in click the cog symbol in the top right and click Office 365 settings.
Select settings then click Additional security verification.
Click the link to Update your phone numbers used for account security.
Here the user can set their preferred verification option and they can also update their mobile number if required.
Its best practice to generate App passwords for every application used and this is so that if you need to generate a new password from outlook you can just re-generate the password for that application rather than having to update all of the other apps in use.
Lets create a new app password for Outlook, click Create.
Give the password a name, this is for Outlook so lets use that and press next.
The system will generate a long password for us to use. Interestingly they don’t seem to follow any complexity rules but I guess length is king when passwords are concerned.
Now we have a new app password for Outlook the user will need to enter this as the new password for their Outlook desktop app, Mobile mail settings and the Mobile Outlook application.
So there you have it, you can now enable additional security in your Office 365 tenant at no extra cost. Almost everyone has a mobile on them at all times these days and with the flexibility to use the authentication app or SMS implementation is easy.
Like with all things where the user has to be involved in the setup process you will have to educate your users. Its likely most wont read all of the messages and will select the wrong options so as always ensure user training is top of your list of things to do before rolling this out company wide.
If you found this useful please subscribe to the blog and also like on Facebook or follow me on twitter. Help me support awesome administrators like you, like and share now, thanks!