Microsoft estimates that multifactor authentication (MFA) is capable of preventing 99.9% of all account hakcing attempts. In light of today’s relentless security threats, MFA is critical and can’t be overlooked if you want to be truly secure.
Office 365 offers two flavors of MFA at present: Legacy MFA and Conditional Access. Legacy MFA will eventually be phased out and shouldn’t be used except as maybe a stopgap – Conditional Access is the way to go. Firstly, it uses the Modern Authentication standard most widely compatible with modern devices. Secondly, it’s far more robust – and Conditional Access allows us a great degree of control over how MFA works.
Note that only certain 365 licenses unlock Conditional Access, namely:
- Microsoft 365 Business Premium (My most highly recommended license)
- Azure AD Premium P1 / P2
- Enterprise Mobility + Security E3 / E5
- Microsoft 365 E3 / E5
Let’s look at building a baseline MFA policy using Conditional Access:
1. Sign in to portal.azure.com as an admin, then select Security from the left menu.
2. From the Security menu, select Conditional Access.
3. From Conditional Access, select +New Policy.
4. This will take you to the policy builder. Give your MFA policy a descriptive name, like “Require MFA”. Select the first condition Users and Groups – then toggle Include and select All Users. We want to apply MFA to all users by default – with one exception, which we’ll see in the next step.
5. Next, we’ll set up an exclusion for one backup admin account. We want this account excluded in case we somehow lose access to our 2nd MFA factors – phone, e-mail, etc. Set up a security group named something like “ExcludeMFA” and add your backup admin account (if you don’t have one of those already, make one now – give it a long, complicated password of at least 16 characters.)
Back in Conditional Access, toggle Exclude, select Users and Groups, then select the ExcludeMFA group.
6. In Cloud Apps or Actions, select All Cloud Apps to apply to all applications and services in Office 365/Azure by default.
7. In Conditions, set Device Platforms and Locations both to Any.
8. In Grant, select Grant Access, then check the box for Require multi-factor authentication.
9. Once the above settings are in place, toggle Enable Policy to On. Congratulations! Your Office 365 is now protected by MFA.
If you get an error saying something about “Security Defaults must be Disabled”, then you need to disable Security Defaults. To do this, go back to the Azure AD home screen, select Properties, then Manage Security Defaults and toggle Enable Security Defaults to No.
10. Finally, users will need to set up their MFA settings at their next login. Then next time they sign in, users will first be greeted with this:
Users can set up MFA using text message for a more traditional experience…
…but I recommend users leverage the free Microsoft Authenticator app for MFA. This allows them to use a one-time password, or even more conveniently – a push notification. Either way, it’s more secure on-the-whole:
As with everything else in Azure, Conditional Access is very versatile and can be made to work in a wide number of ways to suit your business needs – but the above is a baseline MFA policy that will lock down your 365 accounts and provide the crucial security you need to protect against modern threats.