What is a Multi-Factor Authentication for Office 365, and Why Is It Useful?
As we move toward cloud-based, accessible services for the convenience of conducting business at any time, from anywhere, protecting your online identity – your credentials, which prove you are who you say you are – is a critical responsibility for you and your team. Even with good password practices – selecting strong, complex passwords or passphrases, never reusing passwords between different online services, trying to be vigilant in not sharing passwords between people – the bad actors out there regularly try to trick you and your team into sharing private password information. They don’t succeed often, but when they do, and they compromise your account or the account of someone in your organization, suddenly your reputation, your clients, your vendors, your correspondence – it’s all at risk. We know that passwords, by themselves, aren’t secure.
Multi-Factor Authentication (MFA) takes password security one level higher, requiring that in addition to providing a password, people in your organization will need to prove it’s them by acknowledging a prompt on their pre-registered smartphone to approve the login. The “multi” in multi-factor means we’re using a minium of one additional form of verification beyond just a password.
Microsoft Office 365 includes robust multi-factor authentication features. At Aldridge, we use Azure Active Directory MFA and login auditing to provide critical additional protection against phishing, social engineering, credential compromise, or the occasional slip by someone in your organization that may be inconsistent with secure best practices for passwords.
Multi-Factor Authentication for Microsoft Office 365 is an Aldridge best practice for the successful management and support of your environment. It’s not required; you’re welcome to elect how to manage security appropriate to your own organization’s culture and convenience; but when you do have MFA in place, Aldridge’s investigation and remediation of reported user account compromises is included within your applicable Aldridge Managed Services.
Office 365 MFA FAQs
When will I get challenged for authentication?
- You open a Microsoft Office 365-connected application (like Microsoft Outlook) or visit a Microsoft Office 365-authenticated website (like https://outlook.office.com) for the first time on a given computer.
- You open an O365 application or O365 authenticated website on a computer that you’ve used before, but you’ve opted to not remember your authentication (eg, didn’t check the box “Don’t ask again for 30 days” or “Remember for 30 days” or similar; the wording can change over time with Microsoft revisions).
- You open an O365 application or O365 authenticated website on a computer that you’ve used before, and it’s been longer than the period your authentication was set to persist (eg, 30 days, or whatever period has been configured for your organization).
- Something significant has changed since your last successful authentication, which could be interpreted by Microsoft’s authentication engine as, “okay, we need to re-authenticate, just to be sure.”
These events can apply (and you’ll be challenged for authentication) whether you’re in the office, outside the office, on your regular computer, on a guest computer, on someone else’s computer, on your phone, etc. You already experience this today with all your Office 365 services; this experience doesn’t change and multi-factor authentication has no impact on determining when you get challenged for authentication.
When you do get challenged for authentication, settings set the threshold for what you must do to successfully pass the authentication. That could include:
- Entering your email address.
- Entering your current password.
- “Approving” your login via your smartphone Microsoft Authenticator app.
- Entering a current numeric code manually, which you obtain from your smartphone’s Microsoft Authenticator app, if your phone isn’t able to reach the Internet at the time (such as if you’re traveling in an airplane, or out of a service area).
You’re already used to entering your email address and current password to authenticate. Multi-factor adds the additional requirements and methods to fulfill those requirements.
With the subscribed level of Microsoft Azure Active Directory (AAD P1 or AAD P2), we usually configure one exception for Microsoft’s authentication engine, to not require second-factor authentication via the Microsoft Authenticator app if, at the time you’re trying to authenticate, you are using a computer that is inside your business office, using your business office internet connection through your office network firewall, such that Microsoft can see that your request is originating from that exact known internet network address.
All your other authentication and Office 365 experiences stay the same.
Microsoft Office 365 and Microsoft 365 are cloud-based services that receive regular improvements and development updates. The exact features and user experience for multi-factor authentication may vary in the future, but the security benefits remain the same. Multi-factor authentication is a critical part of maintaining reasonable security for your organization.
Why should everyone use the Microsoft Outlook app for organization email?
As a best practice, when people are checking organization email via their smartphone, we recommend everyone install and use the Microsoft Outlook app. It’s free and included with your organization’s Microsoft Office 365 subscription. Having everyone use the Microsoft Outlook app on their smartphones will give them the best, most secure, consistent experience. A best practice is to use the Microsoft Outlook app for your organization email and use your phone’s built-in mail app for personal email and contacts. That helps keep your personal and business email as separate, distinct items, while also enabling all your organization’s security features and management for organization email.
What if people don’t have a smartphone, or don’t want to use their phone for multi-factor authentication?
We can use your office’s consistent internet address as the second factor for security. Individuals who don’t have or don’t want to use a smartphone for multi-factor would be restricted to logging in only on computers that are at your known, established office locations. With Microsoft’s Conditional Multi-Factor features, we can specify that being connected via your business network, at your regular place of business, is a valid second factor.
Individuals not able or willing to use their smartphone for authentication will not be able to authenticate to access secured services on computers from outside the office.