Thursday, May 25, 2017

Multi-Factor Authentication Setup-Office 365

What is Multi-Factor Authentication

Two –step verification is a method of authentication that requires more than one verification method and adds a critical second layer of security to user sign-in and transaction. Azure multi-factor authentication is the method of verifying who you are that requires the use of more than just a username and password. Users are required to acknowledge a phone call, text message, or app notification from their smartphone after entering their passwords and they can only login after second authentication factor has been satisfied.
There are multiple options for verification methods:
  •          Typical Password
  •          Trusted device that is not easily duplicate such as a Phone
  •          Biometrics

Why use Azure Multi-Factor Authentication

Today, every organization having the facilities to work from anywhere, connected from anywhere and people are increasingly connected with their smartphones, tablets, laptops and PCs, which means they need more security to access the company’s application, email etc. Azure multi-factor authentication is an easy to use and reliable solution for accessing your emails & applications. Azure multi-factor authentication is very simple to set up and use, it can set up with just a few simple clicks with extra protection to allows users to manage their devices. Azure MFA integrated cloud and on-premises Active Directory and Apps it also good for mission critical scenario. Azure MFA provide strong authentication using highest industry standards.

How Azure Multi-Factor Authentication Works

Azure Active Directory is the authentication authority for Office365, this application developed to support MFA use the Active Directory Authentication Library (ADAL) to authenticate to services using OAuth 2.0. OAuth is an open standard for authentication that is supported by many other third party vendors. The client application such as Outlook, OWA use Active Directory Authentication Library(ADAL) to get access to users’ data using the access tokens acquired through the authentication process. Using access tokens means that the applications can continue to access data without having to store or provide user credentials. There is two type of the tokens are used, a refresh token is issued following a successful user authentication. This is the master token that is used to acquire the access tokens necessary to access user data. For example, when the Outlook first connects and authenticates with Office365 a refresh token to get an access token that’s valid for Exchange, the same token is valid across the Office 365. A refresh token lasts two weeks; refresh tokens generate by Azure Active Directory. If you are not using /office 365 the more than two weeks, the refresh tokens with expiring and will need to be reestablished through authentication.

                          Photo courtesy of Microsoft

Methods available for two-step verification

When a user signs in, an additional verification is sent to the user. The following are a list of methods that can be used for this second verification.

Phone Call  
A call is placed to a user’s registered phone asking them to verify that they are signing in by pressing the # sign or entering a PIN. 
Text Message
A text message will be sent to a user’s mobile phone with a six-digit code.Enter this code in to complete the verification process.
Mobile App Notification 
A verification request is sent to a user’s smartphone asking them to complete the verification by selecting Verify from the mobile app. This will occur if you selected app notification as your primary verification method. Example -Phone Sign In -Microsoft Authenticator
Mobile app verification code
The mobile app, which is running on a user’s smartphone, displays a 6-digit verification code that changes every 30 seconds. The user finds the most recent code and enters it on the sign-in page to complete the verification process. This will occur if you selected a verification code as your primary verification method.
3rd party OATH tokens
Azure Multi-Factor Authentication can be configured to accept 3rd party verification methods.

Set up Multi-Factor Authentication in the Office 365

Go to the Office 365 admin center.
Navigate to Users and select Active Users then click on more option and select Setup Azure multi-factor auth, Your screen should look like one of the following:

Once clicked on Azure multi-factor auth, you will see the all users list

Now we need to enable MFA for one particular user, we can search and select user and enabled MFA

Once click on enable multi-factor auth you will get the confirmation.

Here you can see the users status

Also, you can set the setting  from manage user settings

Here are the user's settings for MFA

Also, you can set the service settings

Now time to log in with account, we have given the account

Now here you can see asking for security verification and click on setup
Now set the additional security verification

Set up the Phone Authentication preferences

Set up the Office Phone Authentication preferences

Here you can set up Mobile App notification if you want

Now set the additional security verification and set the phone number whare you will get text or call, as I choose the "Authentication Phone" number

Now you can see the text message has been sent to selected mobile number

Now you can see the app password has been received
Once we set up the security, now this will be my login page, where I have to put the verification code

We can also verify via Power Shell

C:\>Import-module msonline

We will get the following log in windows
Here we will get the got the verification code and after entering the verification code we logged in

There are three versions of multi-factor authentication:

  • Multi-Factor Authentication for Office 365
  • Multi-Factor Authentication for Azure Administrators
  • Azure Multi-Factor Authentication

here is the feature comparison of versions

Azure Multi-Factor Authentication provides selectable verification methods for both cloud and on-premises.

Happy Learning!

Thank you!