cartoon hands using a mobile phone with security logos above

Microsoft Office 365 Multi Factor Authentication – Your Questions Answered

Multi Factor Authenticator (MFA), sometimes referred to as 2 Factor Authentication (2FA), is a method of providing different forms of authentication methods towards a service, usually an online public facing one. You may however also find these on internal systems. Enabling MFA on your Office 365 tenant is a must, and you should do this TODAY.

You have been using MFA for years – you just didn’t know it!

Do not overthink MFA, you have all been using this for many years when it comes to online banking, where you are required to provide a password, followed by a randomly generated code from a separate device. Historically, this device was a plastic card reader provided by your bank, but in recent years this has switched to a code generated from inside the banking application on your mobile device.

Therefore, the result, someone attempting to compromise your account would need your password, and your 2nd factor device, which is near on impossible (aside from some malware now attacking mobile devices to steal codes, and for this we recommend mobile device protection).

How does Microsoft MFA work? What are the methods?
When we talk about Microsoft Office 365 MFA, typically this comes in the form of the Microsoft Authenticator App which you can download on your mobile device. However, a list of other common methods is as follows:

  • An automated call to your phone – not recommended.
  • A code sent via SMS Message – not recommended.
  • Microsoft Authenticator.
  • A physical USB dongle device – such as YubiKeys (https://www.yubico.com/)
  • A notification via a mobile application.

Why are calls and SMS methods not recommended?
In our opinion, calls and SMS are not recommended methods to authenticate, due to “SIM swap”, where a hacker will call your provider, and request a sim swap to a new SIM card, which if successful, will then allow them to receive all your calls and SMS messages, without you realising the SIM swap has even happened.

There has even been reports online of insiders working at mobile providers, performing SIM swaps for hackers, so they have had no need to social engineer the incident. There are also several phishing email templates circulating online, pretending to be your provider with a “billing issue” which if believed, will see you provide a hacker with the answers to your secret questions, so when they call your mobile provider, they can get through security and swap your SIM.

Will I be asked to supply a new code EVERY time I use my Office 365 system?
Simply put, no. Typically, your MFA code is only required when:

  • You are setting up a new device, or an existing device needs reconfiguring, such as following a support issue.
  • When logging into any Microsoft Office 365 platform via the web, as this is of course considered to be from an untrusted device.

Once enabled, what is available to stop my team disabling their MFA themselves?
Microsoft Azure (the backbone to Microsoft Office 365) now has security defaults that forces your team to supply their MFA choices. However, this is only if they ever login to the web platform, so it is far from reliable if you want to ensure everyone has set up their Microsoft Authenticator.

The best way to achieve this is by setting “Conditional Access” policies inside Azure, which requires a single Azure Premium license for your tenant. Once enabled, you will be able to add policies to force MFA at tenant level, meaning it cannot be disabled by individual users.

We have a high turnover of users and devices, and I can see MFA taking a lot of manpower to initialise each time, can anything be done to ease this?
Inside Microsoft Azure, you can add “Trusted IPs” to bypass the MFA requirement, and if your office has a static IP, this can be added here. Although this does open yourself up to IP spoofing, where someone can spoof your IP address and pretend to be you, although they would of course also need to know your Microsoft Office 365 password to gain access. We would strongly advise against this method unless truly necessary.

If you do add a trusted IP address, this could see some of your users never initialise MFA, as they will never be prompted to do so unless they are accessing from outside of the trusted zone. For this reason, we recommend adding an additional conditional access policy to only allow MFA registration from the same IP as your trusted location, otherwise a password leak would mean the person with the password will be prompted to initialise MFA, which they will do so to their own device, and then gain access. With this in place, you will need users to head to the dedicated page for registering their device, as of course they will never be prompted to do so inside the Trusted Location. You can find this dedicated page here.

What could happen if MFA is disabled?

Enabling MFA for your Microsoft Office 365 tenant is a must for all businesses, no matter how big or small. With MFA disabled, several situations could occur:

  • Leaked passwords could see hackers gain access to your cloud resources such as your emails, files, and more.
  • Man in the middle attacks can occur on your email system, where the party compromising your account will act as you, altering and resending emails that are in your sent items, for instance altering bank account details on invoices to be their own then deleting the sent item after.
  • Files that are accessed can be placed online in a public place, with a ransom requested in return for taking the files offline, which would constitute a major data breach.

These days, Microsoft recommends MFA over regular password changes. This is due to regular password changes becoming less secure due to the limited nature of the change that most users make, for example the 1 at the end of the password becomes a 2 and so on.

I don’t trust my employees with the code, I’m worried they will lose their device, or they refuse to use their own devices for work purposes.
We hear this a lot. And if this arises, there is a simple solution. We recommend that anyone facing this issue, purchases a central device, such as a basic Android tablet, that is kept in the office under management supervision. You can pick up such a device for less than £100.

Need Help Setting Up MFA?

When it comes to simple methods to deploy such as MFA, you should take no shortcuts. You can access the free MFA for Microsoft within Office 365, or you can choose a bigger solution such as Duo to protect everything, including your Windows logins.

If you have any questions or would like us to help with the security of your Microsoft Office 365 tenant, please get in touch today.

Author: Dave King

Dave King is the Co-Founder and Director of Carden IT Services and the wider Carden IT Group. Dave has over 18 years’ experience in business IT networks with a focus on IT consultation and disaster recovery planning/testing.