Office 365 continues to expand and more and more small businesses are joining the service daily. The problem is when you have a popular system this makes it a target for hackers who prey on the weak (passwords) and use compromised accounts to their advantage, usually monetary.
Passwords – Dos and Don’ts
Passwords have been around since the early days of computing and yet we are no better at them as we where back then.
Let’s look at the basic password and the dos and don’ts that we should all be following:
- Make your password at least 10 characters long, the longer the better. Instead of a word try using a phrase, this will naturally have more than 10 characters and probably easier to remember.
- Included both upper and lower case letters
- Include numbers
- Include punctuation i.e. @!”£$()
- Use a password safe for storing passwords of important accounts
- Use simple words (Password, secret, name etc)
- Don’t use your company name in the password
- Don’t use the same password for all your accounts (this is more common that you’d think)
- Don’t keep passwords in a notebook in your drawer
- Don’t use the same password on multiple accounts
Ok, so that’s the basics out of the way. These are great but even the best passwords can be hacked in time. How do we prevent our Office 365 accounts from being compromised? There are a number of options within the Office 365 estate, some come at additional cost.
Today we are going to focus on the technology that is included with every Office 365 subscription and that is “Multi-Factor Authentication” or MFA for short. This is a simple concept (I would wager that you already use MFA in one form or another already in your life outside of the business) where you are prompted for something you know, this is your password. And then you are prompted by something you own i.e. your phone where you receive a text message. This is called “second factor authentication” or 2FA for short. This second authentication method proves that the person entering the password is the owner of the account. If a hacker did manage to guess a password they wouldn’t get any further as they don’t have the second authentication method.
The additional advantage is that the actual owner of the account being hacked would get a 2FA prompt on their phone, this will raise alarm bells that something isn’t right and they can take action i.e. change their password.
How to Configure Office 365 Multi-Factor Authentication
Ok, you’ve decided that it’s time to tighten up your business security and implement MFA for your users. The process is quite simple to implement but if you have a number of employees you’ll need to plan the steps to prevent users having a bit of a melt-down which is generally what happens when change something in IT.
At this point it is worth mentioning that because you are tightening up your security you need to ensure that email clients are compatible otherwise users could loose access to email accounts. If you are on Business Premium your client applications are bang up to date and are fully compatible with MFA.
The following list shows supported mail clients.
- Outlook 2016 and above (Note that Outlook 2013 can support MFA with edits to the registry, detail can be found here)
- Apple Mail (iOS v11 and above)
- Outlook App (Apple/Andriod)
It is worth noting that older apps can be used with an “app password” (which is covered later in this blog) but these passwords are generally regarded as no more secure than a standard password so should only be used in “last resort” circumstances. Best approach is upgrade to a client that support modern authentication.
Lets switch on Modern Authentication
The first thing we need to do is switch on “Modern Authentication” within your Office 365 tenant. If you have a purchased Office 365 in the last 18 months then this will most likely be on already, if you have an older tenant then it is probably not enabled. Either way it’s worth checking.
- Go to the Office 365 administration portal (LINK)
- Click on “Settings” from the left hand menu and click on “Services & add-ins“
- Click on “Modern authentication“
- Ensure that it is “Enabled” and then click “Save Changes“
We have now enabled (or checked that it’s enabled) modern authentication on your Office 365 tenant.
You will notice that only Exchange Online is mentioned in the information above, this is because modern authentication is enabled as default for SharePoint. If you are still using Skype for Business then you will need to enable modern authentication for this via PowerShell, a good guide on how to do this can found HERE.
Enable MFA on User Accounts
The next step is to enable MFA on the users accounts, this is the part that you’ll need to plan out. The good news is that it can be done on a per-user basis so you can sit next to a user to hold their hand through the process or if you’re feeling brave you can do everyone at the same time. Don’t panic though, as you’ll see Microsoft has thought about this process to allow users to register for MFA in their own time.
- Still in the Office 365 Admin Portal go to the “Users” menu item and click on “Active Users“
- In the menu above the users you’ll see a link called “Multi-Factor Authentication“, click this
This will take you to the Multi-Factor Authentication screen and you’ll be presented with a list of your users. It is a good idea to configure one user first so you get a feel for how the process works.
- Click on the user that you want to enable for MFA
- Click “Enable“
- You will be presented with the following warning screen, if you are happy to proceed click on “enable multi-factor authentication“
After a few seconds you’ll get a confirmation screen
As mentioned above the good bit here is that enabling the user MFA doesn’t have any immediate effect on the users account and ability to access services and allows them time to setup MFA on their account.
Register for MFA on Users Account
So you’ve enabled MFA on the users account, now the fun bit where we need to get the user involved. The MFA process allows for a number of ways to receive the 2FA prompt, these are:
- Phone call
- Text message
- Notification through mobile app
- Verification code from mobile app
By far the easiest one to use is the authentication app, once this is setup the app runs in the background on a mobile device and simple prompts for approval when a 2FA request is sent to it. Nothing to type into a screen or having to answer a phone call.
It is best to get the app installed onto the users phone before starting the MFA registration process. The Microsoft Authenticator app is available from both the Google Play Store and the Apple Store. Simply download and install them and then we can move onto the next step.
The next step is to complete the MFA registration process, this is done through a standard web browser on a PC/Mac.
- User open a web browser and go to http://aka.ms/mfasetup
- Login with their Office 365 username and password
- The user will see the following screen prompting them for additional information
- You will now come to the “Additional Security Verification” screen
- In “Step 1” change the drop down to read “Mobile App“
- Select the radio button “Receive notifications for verification“
- Click “Set up” button
- After a second or two you’ll see a screen similar to this with a QR code in it.
- Go to the users phone and open the “Microsoft Authenticator” app
- Click on the “…” in the app and select “Add Account“
- Select “Work or school account“
- Point the camera at the QR code on the screen, the phone will go through a process of registering the device, this will take a few seconds. Once you’re back on the main Account screen you can go back to the PC and click “Next” on the QR code web page
- The process will now verify the app
- After 20-30 seconds you’ll see confirmation of the activation
- Click “Next“, this will send an approval request to the users phone.
- Click “Approve” on the users phone
- Finally add a mobile or office phone number, this will be used if the app fails or isn’t working for what ever reason.
- Click “Next”
- The final screen will give the user a “App Password” this is only used for applications that don’t support modern authentication. You can take a note of this now or ignore it. If in the future the user needs to create an app password they can click this LINK to create one. Generally app passwords are to be avoided unless there is a really need for one i.e. old mail client
MFA is now all configured, if you go back to the MFA configuration screen from before you’ll now see the users MFA status has been set to “Enforced”
You can check the above screen when you start to enable more users to see who has gone through the registration process and who is still outstanding.
What happens now?
Once MFA has been configured on a users account a number of thing will happen over the next few hours, for example
- Mobile phones email clients will prompt the user to resubmit their password, after the password has been entered they will get an 2FA approval prompt
- Other Office 365 apps (OneDrive, SharePoint, Teams etc) that are installed on phones will also prompt for passwords and go through the 2FA approval process.
- Users may also get password prompts on their PCs/Macs for Outlook, OneDrive etc. Again they will get a 2FA prompt on their phones for approval.
The above bit is really the part that can upset the users as they have to spend a bit of time typing their passwords in.
Once they have gone through this initial process they will just carry on using their devices/apps as before. Periodically they will be prompted to confirm their credentials and 2FA approval.
So that’s it, you have now added a nice security blanket around your Office 365 service and you can sleep easy again.