How To Forward Office 365 MFA Notifications To Teams For MSP’s

FYI this method is currently not working. It was until Twilio changed something within their Functions system. I’ll update this guide once they have resolved the issues.

For many MSP’s (Managed Service Providers) knowing how to handle MFA (Multi Factor Authentication) for multiple Office 365 tenants can be a real pain. There are a few way to solve this problem but recently we’ve found the easiest option for the whole team is to have the MFA codes from Office 365 go directly into a Teams channel. This means that even if a tech is working the night shift or out of the office they can easily log into a clients tenant securely with minimal hassle.

A few MSP’s i’ve spoken to recently use a mobile phone in the office to receive the SMS codes, or they use the authentication app. This is great but limits access to those in the office.

Some have setup a dedicated phone number and set tenants to initiate a voice call to authorise the login’s. Again this is a good method but limits access only to the office where they can pickup the calls. Sure you can divert the calls to mobiles after hours but its a real pain when you just need the access and are not receiving the calls.

One fellow MSP told me they send authentication codes into Slack for the team to share. Great idea I thought but who wants to use Slack when you have Teams!

Let’s get stuck in and configure Office 365 SMS authentication codes to be delivered into a Teams channel.

Basic Steps:

Step 1: Configure a Webhook in Teams.

Step 2: Setup and configure a Twilio account.

Step 3: Configure MFA for Office 365

Configure Teams

If you need to upgrade your Office 365 licenses to include teams upgrade them here: Office 365

First we need to activate External apps within Teams so that we can receive SMS messages via a webhook.

Log into the admin portal and click Settings -> Services & add-ins -> Microsoft Teams.

Scroll down to the option to enable External Apps then save the changes.

Log into Teams and create a new Channel called MFA. Click on the three dots next to the channel to access the Channel menu and click Connectors.


Search for ‘Incoming Webhook’ and click Configure.

Give the Webhook a suitable name.

Click Create.

Save the Webhook URL as we will need it later when configuring the SMS system. Click Done.

Configure Twilio

For MFA to work we need a mobile number we can configure on our tenants Global admin accounts. We also need that number on a system which can work with Webhooks. For this we can use a well known service called Twilio.

Office 365 actually includes an integration within Flow but at the time of writing inbound SMS Messaging to Teams is not supported out of the box.

Sign up for an account Here: https://www.twilio.com

Once you have signed in and added some credit to the account. Go to Numbers then click Get Started.

Choose your Country, tick SMS and click Search.

Choose from any of the available numbers and click Buy and complete the purchase.

From the top right use the search function to locate the Functions feature. Click the Plus symbol to add a new Function. We will use a Function to call our Office 365 Webhook we saved earlier and pass the SMS message from Office 365 into Teams.

Choose a Blank template and click Create.

Give your Function a suitable name such as SMStoTeams.

Copy and paste the following code into the code section as shown below.

Replace <enter your webook URL here> with the Teams Webhook you saved earlier.

Click Save.

const got = require('got');

exports.handler = function(context, event, callback) {

  const requestBody = {
    text: event.Body
  };

  got.post('<enter your webook URL here>', {
    headers: {
      'Content-Type': 'application/json'
    },
    body: JSON.stringify(requestBody)
  })
    .catch(err => {
      callback(err);
    });

   callback();
};

Next click on Configure from the menu.

Scroll down to Dependencies and click the Plus sign.

Enter got into the first box and 8.3.2 into the second and click Save.

Click on Numbers then Active Numbers and click your number to enter the settings page.

Scroll down to Messaging and select Function and your Function name next to ‘A message comes in’.

Click Save.

Configure MFA for Office 365

Now you need to configure MFA on each of your tenants Global admin accounts.

Log into each tenant as a Global admin and go to the admin center: https://admin.microsoft.com

Click on Settings -> Services & Add-ins -> Azure multi factor authentication then click Manage multi factor authentication.

Select your Global admin account and click Manage user settings.

Tick the boxes shown below and click save.

Next click Enable next to the Global admin account.

Click to enable multi-factor authentication.

Click Enforce.

Click to enforce MFA.

Now login as the Global admin account and you will be prompted to setup MFA for the account.

Select Authentication phone from the dropdown menu and enter the SMS number you purchased earlier from Twilio. Enter the number without the first zero.

Select to ‘Send me a code by text message’ and click Next.

If everything is configured correctly you should now receive a code into your Teams channel as a chat message. Enter it here and click Verify.

If for some reason the Teams messages are not being received you can read the verification code from the Twilio message logs found here:
https://www.twilio.com/console/sms/logs

If all is well MFA codes are being received into your MFA channel within Teams.

Click Finished to complete the setup of MFA for the Global admin account.

Next time you login as the global admin you will just have to enter the usual password then the MFA code found within Teams.

Congratulations you have secured your clients Office 365 account..

Great job! 🙂

Configure Alternative Login Methods

If something ever goes wrong with MFA or with Twilio you will need to configure alternative ways to login. This will involve setting up a backup emergency mobile number to receive authentication calls on and a password reset email address.

Login as the Global admin and click the settings cog from the top right.

Click ‘Update contact preferences’.

Click Security & Privacy and click ‘Update your phone numbers used for account security’.

Tick the box next to ‘Alternative authentication phone’ and enter a mobile number you can use in an emergency to access the account. Enter the number without the first zero.

Click Save.

If you ever need to use the alternative mobile phone number to login select ‘Sign in another way’ when logging into the Global admin account.


Select the backup mobile from the list to receive an authentication phone call.

Configure Password Recovery

Finally it’s a good idea to configure an alternative password recovery email. If you ever lose the password to the account or get locked out for some reason it’s likely you wont be able to receive password reset requests so set the alternative email address to your support helpdesk email address.

Click Save. (It sometimes looks grayed out but you can click on it!)

Conclusion

This is a great way to give all of your engineers access to MFA authentication codes. Super easy to use and accessible from anywhere. Just be sure you use MFA internally to protect access to Teams.

Not enough MSP’s are rolling out MFA to their clients and likely because of the pain configuring and accessing the login codes. Now you have seen how easy it is to setup start rolling it out to your clients now!

Just remember to keep your Twilio topped up with credit so you don’t get caught short a few months after setting it up 😉

Author: Ian@SlashAdmin

Share This Post On
468 ad

12 Comments

  1. This is excellent, thank you for putting this together! I was scratching my head on it for a while when I pasted in the code and it did not work, but I found that the syntax on the very end of your script was tripping it up. I compared it with your screenshot and noted that the second “callback();” line was not in the script in your screenshot:

    callback(err);
    });

    callback();
    };

    Once I updated it on my end it worked like a charm. Excellent walkthrough, but removing the second “callback();” may save the next guy some trouble! Thanks again for your development on this one!

    Post a Reply
  2. This isn’t working for me. I even made the fix in the code Mark mentioned in a previous comment, but no luck. Did something change in Twilio’s service?

    Post a Reply
  3. I can confirm this is currently not working within Twilio.

    I’ve not had much luck with support due to Functions still being in Beta. That said if anyone did set this up you can still get the MFA codes from the Twilio portal if needed.

    I’ve chased this today to get some answers.

    Post a Reply
  4. I tried setting it up today and it didn’t work. Spent a while troubleshooting on it. Looks like this feature isn’t working properly in Twilio.

    Post a Reply
    • Yep they have broken it!

      Aparently it’s being worked on.

      Post a Reply
      • I was able to set it up to where texts are sent as an email to a distribution list in our O365 but the texts stop coming in from Microsoft after a few minutes:
        https://www.twilio.com/blog/2017/07/forward-incoming-sms-messages-to-email-with-node-js-sendgrid-and-twilio-functions.html

        I spoke with Twilio’s Support Team and they let me know: “Verification codes from third parties are also not supported and violate our AUP.”

        I’ll let you know if I come to a resolution or if the email option is viable.

        Post a Reply
        • Note:
          Texts from Microsoft’s MFA doesn’t show up in Twilio’s logs either. I can get two MFA codes and then it will stop working and I have to provision another phone number.

          Post a Reply
  5. I would like to give an update on my journey with this. I worked with Twilio and Microsoft support on this. I could never get the Teams method to work, but I was able to set it up to program it to forward all text messages to a shared mailbox.

    The BIGGEST problem is Twilio has decided MFA text messages violate their AUP. They will block MFA messages after they detect a phone number has received them. Even if they fix the Teams integration, Twilio has begun blocking MFA messages. Here’s an email I received from Twilio Support:

    “Thank you for sharing the Message SID example. I further investigated into this example. After checking this example, I can confirm that Twilio as a platform does not support receiving inbound verification codes such as verification codes from Microsoft and other services. This is against our Acceptable Use Policy. What happens is that our system will track patterns and if we noticed continuous inbound verification messages from other services, our system will automatically block these type of messages.”

    Post a Reply
  6. Twilio seems to work quite well as an SMS message delivery solution, but there have been concerns as to the general weakness of sending codes via SMS as opposed to using hardware tokens.

    Post a Reply
  7. Hi, you can use Messagebird, they do SMS->E-mail and use the teams channel mailadres.
    Or send it to a shared mailbox and automaticaly forward it to the teams channel to have some logging and alternative methodes to see the MFA code.

    Post a Reply
    • Just spoke to their support and it’s against their terms and conditions and will close down accounts the see using it this way.

      Post a Reply
  8. we have also just had issues with this and twilio support have now said they do not support this.

    Post a Reply

Trackbacks/Pingbacks

  1. How To Manage Multiple Microsoft Office 365 Tenants For MSP’s | SlashAdmin Life in IT - […] solution is to use something like this Twilio SMS to Teams MFA setup. This works really well but is…

Submit a Comment

Your email address will not be published. Required fields are marked *