Multi-factor authentication is a necessity these days.  As mentioned in our previous blog post (LINK), scammers are actively trying to gain access to end-user mailboxes for their own malicious activities. Most people think of this attack as hacking, but this couldn’t be further from the truth; often access is gained by providing the actual credentials to the mailbox. Especially in the legal profession, hackers getting access to your sensitive and privileged data could result in serious liability for your company.  While using a password manager, such as LastPass or OnePass, is the best approach, some users find this complex.  Forcing the use of multi-factor authentication can improve security even for the users that keep using the same password over and over again. The scammers are obtaining these credentials by purchasing them on the dark web or from previously successful phishing or spear phishing email campaigns (example snapshot below). Nearly all these attempts to access an Office 365 account can be thwarted by enabling multi-factor authentication (MFA). Not only is MFA the next step in securing an Office 365 account, but it is becoming more common among cloud services to have this enabled by default (banking websites for example). Below we will go through the steps of configuring MFA on your Office 365 tenant, enabling MFA on desired accounts, and then reviewing how some applications interact with MFA.

Configure MFA

  1. Log into Office 365 Admin Center (https://admin.microsoft.com)
  2. Click on “Users” -> “Active Users
  3. Click on “More” button -> “Multifactor Authentication Setup
  4. Click on tab at top called “Service Settings
    1. Select “Allow users to crate app passwords to sign in to non-browser apps
    2. Select at least the three following
      1. Text message to phone
      2. Notification through mobile app
      3. Verification code from mobile app or hardware token
    3. Select “Allow users to remember multi-function authentication on devices they trust
      1. Usually 60 days (2 months) provides the best end-user experience

Setting up multi-factor authentication

Setting up multi-factor authentication

Continue from here to enable MFA on select accounts as Microsoft provides the ability to enable MFA on a single account basis to allow for a staged roll-out. Once MFA is enabled on account, the end user will need to log into the web portal to finish the activation

Enabling MFA on Office 365 accounts

If you are not continuing from the previous section, follow the above steps (1-3) to access Multi-Factor Authentication portal

  1. Click on “users” tab to enable individual users
  2. Select desired user
  3. Fair warning that this portal is slow for some tenants and can take a moment or two to refresh when click on the next arrow
  4. Click on “enable” button
  5. On confirmation pop-up click “enable multi-factor auth
    Enabling multi-factor authentication by user

    Enabling multi-factor authentication by user

  6. Direct user to https://portal.office.com and login with O365 credentials
  7. Click “Next” on the More information required pop-up

Pop-up seen during login

Pop-up seen during first login

There are two primary ways for the end-user to interact with MFA, through text message or an authenticator app downloaded from the App/Play Store

Setting up Text message authentication

  1. Choose “Authentication phone
  2. Enter mobile number
  3. Select “Send me a code by text message
  4. Click Next
    Enabling text message authentication

    Enabling text message authentication

  5. Enter code sent to phone & click “Verify
    Confirming the text message setup

    Confirming the text message setup

Setting up Authenticator App

  1. Choose “Mobile App
  2. Select option “Receive notification for verification”
  3. Click “Set up” button
    Setting up the authenticator app

    Setting up the authenticator app

  4. Download the app from the App/Play store and scan the code provided on the screen

Configuring via a QR code

Configuring via a QR code

The next page will provide an app password that should be recorded in a temporary location as it will be needed in some of the scenarios below. If the password is lost, a new app password can be generated from the user’s Office 365 “account” page
Creating an app password

Creating an app password

At this point the user’s account is successfully protected with multi-factor authentication. The next steps are to reconfigure the authentication settings in the required software & hardware devices. Below are just a few examples on how to do this.

Known applications that require an app password

Outlook for Windows

  1. Click on “start” and type “Credential Manager” -> Click app to open
    1. Select “Windows Credentials” -> delete all stored passwords for Office/Outlook
  2. Restart computer
  3. Launch Outlook, it will ask for credentials in one of two different styles
    1. Web Portal Pop-up (Modern authentication)
      1. Fill in email address & password
      2. Follow MFA prompts
        Office 365 login

        Office 365 login

    2. Windows Security pop-up
      1. Fill in email address
      2. Use previously provided App Password in the “password” field.
Windows Security pop up for Outlook

Windows Security pop up for Outlook

Outlook for Mac

  1. After Outlook is open, click on “Outlook” in the menu bar -> select “Preferences”
  2. Click on “Account” -> Select Office 365 account -> click on “-“ to delete account
  3. Click on “+” to add account -> type in email address -> click “Continue” button
  4. Follow on-screen prompts to authenticate your account with MFA

Outlook & built-in mail for Mobile

Outlook for mobile devices (iOS & Android) is fully compatible with modern authentication and you should be able to follow the on-screen prompts to add the account. Special note is that if email is already configured on device, you can wait for MFA to kick in, but we recommend removing the account and add it as soon as MFA has been configured. The built-in mail apps for the major manufacturers (Apple, Samsung, LG) are also compatible with modern authentication

PowerShell for O365 Administration

For MFA & PowerShell to work together the Exchange Online PowerShell Module must first be downloaded from the Exchange admin center with Internet Explorer (will not work with Chrome or Firefox)

    1. Log into Office 365 Admin Center (https://admin.microsoft.com)
    2. Expand “Admin Centers” in left blade -> click “Exchange
    3. Click on “Hybrid” -> click on second “Configure” button to install the Exchange Online Remote PowerShell Module
      Configuring PowerShell administration

      Configuring PowerShell administration

    4. Follow the prompts to install the module
    5. Launch the “Microsoft Exchange Online PowerShell Module” from your start menu and use the following command to connect
      1. Connect-EXOPSSession -UserPrincipalName GlobalAdminUPN
      2. Fill out the pop-up form
Login to Exchange Online Remote PowerShell

Login to Exchange Online Remote PowerShell

  1. You will now be able to run you standard Office 365 PowerShell commands

Wrap-up

In short, multi-factor authentication (MFA) is a necessity in today’s workplace.  Even if a bad actor somehow receives active credentials, MFA allows a user to prevent them from accessing sensitive information.  If you want to read more about Office 365 security, take a look at our most recent post about email forwarding here (LINK).