Setting up multi-factor authentication for Office 365 is extremely easy for administrators. The biggest challenge for administrators is user training. This blog will guide you through initial setup and some of the items to review with end users to help ease the transition.
Setting up multi-factor authentication is simple. From your Office 365 Admin portal, go to Users > Active Users in your left hand navigation. Above the list of users you'll see "Set Multi-factor authentication requirements." Select Set Up.
Select the user or users you want to enable for and select Enable in the quick steps to the right. That’s it! Super easy. Now comes the difficult part.
User explanation and adoption
The first thing to do when changing anything for users is to explain why. In this case I find it helpful to try explain that multi-factor authentication is currently the best way we have to allow the mobility that users want while still maintaining a secure environment. If someone guesses your Office 365 password, they still can’t access sensitive company information. A large number of the major hacks in the past few years come from knowing someone’s password (think Sony or the Houston Astros). Multi-factor authentication prevents that type of unwanted access, which is better for both the user and the company.
The second thing i always try to do is be firm but understanding. People don't like change, but waffling never gets anything done. Multi-factor authentication adds another level of complexity to a user's login routine. Accept that fact and try to be understanding, but make it clear that it is that way for everyone and the benefit outweighs the cost of a data breach.
Third comes knowledge. Have documentation prepared to help users to set up their apps after the change. Explaining how to set up the Azure Authentication app on the phone is a good start.
Next, you'll need to explain what an app password is and when to use it.
What is an app password? Basically, it is a way for Office 365 to grant access to an application that cannot send a verification code by creating a one-time use password that can be stored by the application. For example, the Skype for Business app on your phone doesn't use a web browser to authenticate your credentials so it needs a password. When you see an application that asks for your username and password and doesn't have the Microsoft Office 365 branding on it, it needs an app password.
How do I get an app password?
1. Log in to Office 365.
2. Select the gear in the upper right.
3. Select Office 365 Settings.
4. Select Additional Security Verification and click the link that says "Update your phone numbers used for account security."
5. On the next page select app passwords at the top (it looks like a header, but is actually a link).
6. Click Create.
A few more notes about app passwords:
- Make sure to use one app password per app. Don't save the password! These are meant to give one-time access to one app.
- Name each app password well. Since you only should be using one password per app, you want to make sure you remember what apps have passwords.
3. It's worth saying a second time: Don't save the password!
Windows 8.1 vs Windows 10
Windows 10 has the ability to verify your account. There are currently limitations to setting up your initial user as your Office 365 user (this maybe a blog for later time). We have found it easier to set up a Windows 10 machine under a Microsoft Account rather than a Work or School Account (Office 365) and add the Office 365 account to that Microsoft Account.
This can be done in Settings > Accounts > Your email and accounts. This option allows you to verify your user account with multi-factor authentication and will reduce the number of verifications per day when logging into Office 365 (to 1 or 2 times).
Windows 8.1 does not allow you to add a Work or School Account to your profile. This means those users have to verify their Office 365 logins more often (usually 4-5 times per day). This is something to be aware of.
Multi-factor authentication in Office 365 is easy to setup and pretty easy to use once users get used to it. It is also far more secure. There is a little initial pain, but overall it is pretty smooth and I am confident that Microsoft will continue to make it easier for users as they move forward.