Multi-factor authentication is a necessity these days. As mentioned in our previous blog post (LINK), scammers are actively trying to gain access to end-user mailboxes for their own malicious activities. Most people think of this attack as hacking, but this couldn’t be further from the truth; often access is gained by providing the actual credentials to the mailbox. Especially in the legal profession, hackers getting access to your sensitive and privileged data could result in serious liability for your company. While using a password manager, such as LastPass or OnePass, is the best approach, some users find this complex. Forcing the use of multi-factor authentication can improve security even for the users that keep using the same password over and over again. The scammers are obtaining these credentials by purchasing them on the dark web or from previously successful phishing or spear phishing email campaigns (example snapshot below). Nearly all these attempts to access an Office 365 account can be thwarted by enabling multi-factor authentication (MFA). Not only is MFA the next step in securing an Office 365 account, but it is becoming more common among cloud services to have this enabled by default (banking websites for example). Below we will go through the steps of configuring MFA on your Office 365 tenant, enabling MFA on desired accounts, and then reviewing how some applications interact with MFA.
Configure MFA
- Log into Office 365 Admin Center (https://admin.microsoft.com)
- Click on “Users” -> “Active Users”
- Click on “More” button -> “Multifactor Authentication Setup”
- Click on tab at top called “Service Settings”
- Select “Allow users to crate app passwords to sign in to non-browser apps”
- Select at least the three following
- Text message to phone
- Notification through mobile app
- Verification code from mobile app or hardware token
- Select “Allow users to remember multi-function authentication on devices they trust”
- Usually 60 days (2 months) provides the best end-user experience
Enabling MFA on Office 365 accounts
If you are not continuing from the previous section, follow the above steps (1-3) to access Multi-Factor Authentication portal
- Click on “users” tab to enable individual users
- Select desired user
- Fair warning that this portal is slow for some tenants and can take a moment or two to refresh when click on the next arrow
- Click on “enable” button
- On confirmation pop-up click “enable multi-factor auth”
- Direct user to https://portal.office.com and login with O365 credentials
- Click “Next” on the More information required pop-up
Setting up Text message authentication
- Choose “Authentication phone”
- Enter mobile number
- Select “Send me a code by text message”
- Click Next
- Enter code sent to phone & click “Verify”
Setting up Authenticator App
- Choose “Mobile App”
- Select option “Receive notification for verification”
- Click “Set up” button
- Download the app from the App/Play store and scan the code provided on the screen
Known applications that require an app password
Outlook for Windows
- Click on “start” and type “Credential Manager” -> Click app to open
- Select “Windows Credentials” -> delete all stored passwords for Office/Outlook
- Restart computer
- Launch Outlook, it will ask for credentials in one of two different styles
- Web Portal Pop-up (Modern authentication)
- Fill in email address & password
- Follow MFA prompts
- Windows Security pop-up
- Fill in email address
- Use previously provided App Password in the “password” field.
- Web Portal Pop-up (Modern authentication)
Outlook for Mac
- After Outlook is open, click on “Outlook” in the menu bar -> select “Preferences”
- Click on “Account” -> Select Office 365 account -> click on “-“ to delete account
- Click on “+” to add account -> type in email address -> click “Continue” button
- Follow on-screen prompts to authenticate your account with MFA
Outlook & built-in mail for Mobile
Outlook for mobile devices (iOS & Android) is fully compatible with modern authentication and you should be able to follow the on-screen prompts to add the account. Special note is that if email is already configured on device, you can wait for MFA to kick in, but we recommend removing the account and add it as soon as MFA has been configured. The built-in mail apps for the major manufacturers (Apple, Samsung, LG) are also compatible with modern authentication
PowerShell for O365 Administration
For MFA & PowerShell to work together the Exchange Online PowerShell Module must first be downloaded from the Exchange admin center with Internet Explorer (will not work with Chrome or Firefox)
- Log into Office 365 Admin Center (https://admin.microsoft.com)
- Expand “Admin Centers” in left blade -> click “Exchange”
- Click on “Hybrid” -> click on second “Configure” button to install the Exchange Online Remote PowerShell Module
- Follow the prompts to install the module
- Launch the “Microsoft Exchange Online PowerShell Module” from your start menu and use the following command to connect
- Connect-EXOPSSession -UserPrincipalName GlobalAdminUPN
- Fill out the pop-up form
- You will now be able to run you standard Office 365 PowerShell commands
Wrap-up
In short, multi-factor authentication (MFA) is a necessity in today’s workplace. Even if a bad actor somehow receives active credentials, MFA allows a user to prevent them from accessing sensitive information. If you want to read more about Office 365 security, take a look at our most recent post about email forwarding here (LINK).