How to Enable Multi Factor Authentication Office 365

Multifactor authentication can protect your MSO 365 environment from unauthorized access and possible data loss or leak. Learn how to enable multi factor authentication Office 365 for your users.

Table of Contents

What is Office 365 multi-factor authentication?

Multifactor authentication is a login process that requires more than one identity confirmation. It is the cyber security measure that provides an additional layer of protection to the SaaS apps’ login process.

Multifactor authentication is carried out in several steps, usually two but sometimes three. At each step, the application offers a different method of identity verification.

Types of multi-factor authentication

There are several types of authentication:

Based on a user’s knowledge.

The simplest example of this type of authentication mechanism is credentials. In many cases, only a user knows their login and password. Unfortunately, there are plenty of methods to steal the credentials of an individual. That’s why this method is not enough to protect the SaaS environment from breaches. Therefore you need multifactor authentication.

A Bank card’s PIN and SIM card’s PUK numbers are other examples of knowledge authentication.

Based on a user’s possession.

Users can possess material and non-material security token that grants them access to the SaaS application. A key from a door is the simplest example.

Modern authentication uses the following types of security tokens:

Hardware (usually, flash drives)
Software (e.g., a file)
One-time connection (e.g., a phone call, or an SMS).

Based on a user’s inherence.

These are mechanisms that are based on things inherent to a user. Usually, it’s biometric data such as fingerprints, iris, or facial traits. This type of authentication requires a special technology that can collect and identify the required data (e.g. iris scanner).

Based on a user’s position

Some companies might ban the login of users who are located outside specific geographic regions.

Based on the time

Some apps give a limited time window for login. Another example is the hours of the day when you can log in to an app.

As a rule of thumb, the multifactor authentication method applies two of the above types in the login process to grant access to a user.

Why does your business need to enable multi-factor authentication?

Let’s discuss the value of multifactor authentication for your business.

Prevention of unauthorized logins and resulting cyber risks such as data loss or leak.
Compliance with the existing rules and regulations.
The psychological effect on your employees who will perceive cybersecurity as a business value.
Prevent financial losses due to data breaches and non-compliance fees and penalties.

How to enable multi factor authentication Office 365: step-by-step

Microsoft Office 365 has legacy per-user authentication as well as more recent Security Defaults. Microsoft information center suggests turning off the former and turning on the latter.

There’s one thing however that MSO 365 admins must remember at all times. Security Defaults impose multifactor authentication upon every login only on administrators. As concerns users, Azure AD ‘decides’ when to impose it on them based on multiple factors (see screenshot below):

In this section, we’ll explain both methods and it’s up to you to decide which method works best for you.

Enable per-user multi-factor authentication in Office 365

Step 1. Go to Microsoft Office 365 Admin Center, open Navigation Menu, and in Settings choose Org Settings.

Step 2. You’ll be forwarded to the Org Settings page. Scroll down to Multifactor Authentication and click on it. Note that the list is in alphabetical order.

Step 3. A sliding panel will appear on the left part of the screen. Click on the Configure Multifactor Authentication.

Step 4. You will be forwarded to the Users page. Choose all users by clicking on the box above the user list. Then click on Enable in the left column next to the users’ list.

Step 5. Confirm by clicking on Enable multi-factor auth button.

Enable Security Defaults

If you want to enable Security Defaults, you need to first disable per-user multifactor authentication. To do it, take steps 1-5, but instead of Enable, click disable. Now, you can proceed with configuring your Azure AD.

Step 1. In Microsoft Office 365 Admin Center, open Navigation Menu. Then click on Azure Active Directory.

Step 2. You will be redirected to Azure AD Admin Center. In the left panel click on Azure Active Directory. A new navigation panel will appear. You need Properties.

Step 3. At the bottom of the Properties page, press Manage Security Defaults.

Step 4. A sliding panel will appear on the right side of the screen. Click on Yes under Enable security defaults. Then click Save in the bottom right corner.

Take these steps to disable Security Defaults.

How to protect your Office 365 environment from other cyber incidents?

Unauthorized access is not the only cyber security incident that threatens your data integrity. Protecting your organization from human error or man-in-the-middle attacks is equally important as these are other widespread reasons for irreversible data loss.

Your business needs other tools to protect your Microsoft Office 365 data:

Backup

Microsoft Office 365 doesn’t back up your data, so if you want to protect it from possible loss or corruption, we suggest acquiring a backup solution.

Back up your business-critical data

Use SpinOne

Ransomware protection

Not all Admins know that MSO 365 has no inbuilt ransomware protection. Unfortunately, the ransomware threat to businesses of all sizes is real. Acquire a ransomware protection tool to prevent attacks.

Application Assessment

Applications pose a great threat to MSO 365 environment due to the permissions they acquire from users. Your business needs to detect applications and assess their risks to revoke access to the risky ones.

Access Monitoring

Multifactor authentication protects you from unauthorized logins. However, it doesn’t protect your data from unauthorized sharing. You need a tool that will enable you to see and change the sharing settings of your OneDrive files and folders.

We suggest using SpinOne. It is among the top Office 365 backup solutions on the market, with data protection functionality like ransomware protection, application risks assessment, and access monitoring.

Published on: Oct 7, 2022

William Tran Product Manager

About Author

Will Tran is the Product Manager at Spin.AI, where he guides the product's strategic direction, oversees feature development and ensures that the solution solves his clients’ cybersecurity needs.

Will is a security professional who started his career at Lockheed Martin where he worked on National Security Space programs in business development and product management.

Will holds a BA in Economics and Mathematics from UCSB and an MBA with a specialization in Technology Management and Marketing from UCLA Anderson School of Management.

At Lockheed Martin, Will developed the multi-year strategy campaign and supported the product development satellite program for the United States Air Force, which resulted in a multi-billion dollar contract.

During business school, Will consulted 2 non-profit organizations as part of a series of national consulting case competitions. He set strategic priorities, optimized business operations, and developed a process to qualify new revenue streams for his non-profit clients. These initiatives resulted in 15-20% increase in gross profit.

In his spare time, Will can be found at local coffee shops around Los Angeles, traveling to different countries, or hanging out with his cat.

Featured Work:

Effective Steps to Take During a Cloud Ransomware Attack

Frequently Asked Questions

How to check if MFA is enabled in Office 365 for all users?

To check if MFA is enabled in Microsoft 365 for all users, sign in to the Microsoft admin center, then click Users > Active users in the left navigation panel, after that click multi-factor authentication at the top of the page. This will display a list of all users in your organization, along with their MFA status (Enabled or Disabled).

How do I enable MFA for guest users in Office 365?

To enable MFA for guest users in Microsoft 365, you need to create a Conditional Access policy. For this, sign in to the Microsoft admin center as an admin. Browse to Protection > Conditional Access, select Create new policy (name your policy), and under Assignments, select Users or workload identities.

Under Include, select All guest and external users
Under Exclude, select Users and groups and choose your organization’s emergency access or break-glass accounts.

Under Target resources > Cloud apps > Include, select All cloud apps.

Under Exclude, select any applications that don’t require multifactor authentication.

Select Grant access, Require multifactor authentication, and select Select.

How to enable multi-factor authentication in Microsoft 365 using PowerShell?

To enable multi-factor authentication (MFA) in Microsoft 365 using PowerShell, you need first open a Windows PowerShell console as an administrator, then connect to Azure Active Directory PowerShell, get a list of all users in your organization and enable MFA for each user. This will enable MFA for all users in your organization but you can also enable MFA for specific users or groups of users with the PowerShell.

Is MFA automatically enabled for all Microsoft 365 users?

MFA is not typically automatically enabled for all users by default. It is usually an optional security feature that users can choose to enable for themselves or that administrators can enforce across an organization’s user accounts.

Office 365, Office 365 Security