It’s a no-brainer to enable multi factor authentication when using Office 365 , or for any other platform. There are just way too many password breaches, phishing attempts and other attack vectors that will allow attackers to gain access to an account with a password.
Microsoft have made it super simple to enable Multi Factor Authentication (MFA) for Azure and Office 365; which is great. However, there are a few prerequisites and other challenges that may cause issues in doing so.
From our experience, here is a full walkthrough.
Prerequisites for enabling MFA on Office 365
- You must be an Office 365/Azure global admin to do these steps; and
- DirSync must be enabled and Azure AD setup.
How to enable MFA for Office 365
Set up multi-factor authentication in Azure
Set up multi-factor authentication in the Office 365 admin centre
- Go to Users > Active users; and
- Choose More > Setup Azure multi-factor auth. If you don’t see the More option, then you do not have a global admin for your subscription.
- Find the people for whom you want to enable MFA. In order to see everyone, you might need to change the Multi-Factor Auth status view at the top.
The views have the following values, based on the MFA state of the users:
- Any: Displays all users. This is the default state.
- Enabled: The person has been enrolled in MFA, but has not completed the registration process. They will be prompted to complete the process the next time they sign in.
- Enforced: The person may or may not have completed registration. If they have completed the registration process, then they are using MFA. Otherwise, they will be prompted to complete the process the next time they sign in.
- Select the check box next to the people for whom you want to enable MFA;
- On the right, under quick steps, you’ll see Enable and Manage user settings. Choose Enable; and
- In the dialog box that opens, choose enable multi-factor auth.
Allow MFA users to create App passwords for Office client apps
MFA is enabled per user. This means that if a user has MFA-enabled, they won’t be able to use a non-browser client, such as Outlook 2013 with Office 365, until they create an app password.
An app password is a password that is created within the Azure portal and that allows the user to bypass MFA and continue to use their application.
All Office 2016 client applications support MFA through the use of the Active Directory Authentication Library (ADAL). This means that app passwords aren’t required for Office 2016 clients.
However, if you find that this is not the case, make sure your Office 365 subscription is enabled for ADAL.
- You must be an Office 365 global admin to do these steps;
- Go to the;
- Go to Users > Active users; and
- Choose More > Setup Azure multi-factor auth. If you don’t see the More option, then you aren’t a global admin for your subscription.
- On the multi-factor authentication page, choose service settings.
- Under app passwords, choose Allow users to create app passwords to sign into non-browser apps.
People can then use client Office apps after they create a new password. Choose Save, then choose Close.
Manage MFA user settings
- You must be an Office 365 global admin to do these steps;
- On the multi-factor authentication page, select the check box next to the people you want to manage;
- On the right, under quick steps, choose Manage user settings;
- In the Manage user settings dialog box, select one or more of the following options:
- Require selected users to provide contact methods again
- Delete all existing app passwords generated by the selected users
- Restore multi-factor authentication on all remembered devices
- Choose Save, then choose Close.
Bulk update users in MFA
You can bulk update the status for existing people by using a CSV file. The CSV file is used only for enabling or disabling MFA, based on the usernames present in the file.
It is not used to create new users.
- You must be an Office 365 global admin to do these steps;
- On the multi-factor authentication page, choose bulk update;
- In the Select a CSV file dialog box, choose Browse for file;
- Browse for the file that contains the updates, then choose Open. The column headings in your file must match the column headings in the following example:
- Choose the Next arrow;
- After the file is verified, choose the Next arrow to update the accounts; and
- When the process is finished, choose the Done checkmark.
Using App Passwords for applications that do not support modern authentication
Some of these applications are Skype, iPhone native mail app, 3rd party email integrations. An easy way to test if your application does not support modern authentication is: once the MFA is enabled, and you are prompted for your password, and no matter how many times you add your correct password you are not authenticated.
At this point you want to create an App Password.
- Go to https://aka.ms/MFASetup
- Click “app passwords” (It’s a light grey and clickable top right)
- Copy and paste the code into the password prompt for your app and that should log you in. Remember this is the only time this code will display so either save it in a password manager or just forget about it.
If you need to recreate it in future do so, but please don’t write it down anywhere.
Outlook 2013 and older
Yes, Outlook 2013 and older do not support modern authentication out the box and require a regedit to resolve this issue, or upgrade to Outlook 2016.
“data file cannot be read”
To enable modern authentication for any devices running Windows (for example on laptops and tablets) that have Microsoft Office 2013 installed, you need to set the following registry keys.
The keys have to be set on each device that you want to enable for modern authentication:
Unable to create App Passwords
When a user tried to create an App Password and gets the following error: An error was encountered. Could not create app password. Please try again later. Correlation ID:
You need to reset the users MFA profile and app passwords. To do this, go to MFA Admin Center and find the user and click Manage user settings. Then select the following
- Require selected users to provide contact methods again.
- Delete all existing app passwords generated by the selected users.
Ask the user to login and setup their MFA again and this should resolve the could not create app password issue.
Change control steps to ensure awareness and less support calls
Make sure to include all users in the process when enabling MFA. Its not a great idea to let them discover this new magical two step verification on their own, there will be drama.
- Communicate early about the reason behind the MFA and when the MFA will be implemented;
- Make sure users who are working with non modern authentication software are aware of the App Password requirements;
- Share videos and documentation on how to setup MFA once enabled. - How To Set Up Multi-Factor for Your Account; and
- Send out a reminder before and after MFA has been enabled
With this information on hand, all of your issues should be resolved.