Office 365 Multi-Factor Authentication

Body:

Microsoft has recently introduced Multi-Factor Authentication (MFA) for Office 365. This feature is now part of Office 365 Midsize Business, Enterprise plans, Academic plans, nonprofit plans and standalone Office 365 plans (including Exchange Online and SharePoint Online) at no additional cost.

MFA has actually been available for Office 365 administrative roles since June 2013, but it is now available to any Office 365 end user. There are also improvements to the capabilities available since last year, such as App Passwords (discussed later) for users so they can authenticate from Office desktop applications such as Outlook, Lync, Word, etc., as these do not yet natively support MFA.

MFA in Windows Azure and Office 365 provides several options for users as well as backup options in the event the user is not able to authenticate using their preferred method. These are:

  • MFA apps are available for Windows Phone, Android and iOS devices. Users download the free app and activate it using a code provided during setup. When the user signs-in, a notification is pushed to the app on their mobile device and the user taps to approve or deny the authentication request. Once the app is installed it can operate in 2 different modes:
    1. Notification: in this mode, the app prevents unauthorized access to accounts and stops fraudulent transactions. This is done using a push notification to the phone or registered device. The user checks the notification and if it is legitimate, he/she selects Verify. Otherwise, the user can chose to Cancel or even Cancel  and Report Fraud if it is a fraudulent notification;
    2. One-Time Password: in this mode, the Windows Azure MFA app is used as software token to generate an OATH passcode. This passcode is then entered along with the username and password to provide the second form of authentication.
  • Automated phone calls can be placed by the MFA service to any phone, landline or mobile. The user simply answers the call and presses #on the phone keypad to complete their sign in;
  • Text messages can be sent by the MFA service to any mobile phone. The text message contains a one-time six-digit passcode. The user is prompted to either reply to the text message with the passcode or enter the passcode into the sign in screen.

To enable MFA for an Office 365 user account using the Office 365 portal, follow these steps:

  1. Sign-in to the Office 365 Portal;
  2. Navigate to the Office 365 admin center;
  3. Select users and groups;
  4. Next to Set Multi-Factor authentication requirements click Set up:
  5. Find the user(s) that you wish to enable for MFA. Ensure that the user’s MFA Status is Disabled and place a check in the box next to their name:
  6. This will bring up two options on the right: Enable and Manage user settings. Click Enable. This will bring up a pop-up that will specify the next steps we need to take. Click enable multi-factor auth.

 

Introduction

Microsoft has recently introduced Multi-Factor Authentication (MFA) for Office 365. This feature is now part of Office 365 Midsize Business, Enterprise plans, Academic plans, nonprofit plans and standalone Office 365 plans (including Exchange Online and SharePoint Online) at no additional cost.

MFA has actually been available for Office 365 administrative roles since June 2013, but it is now available to any Office 365 end user. There are also improvements to the capabilities available since last year, such as App Passwords (discussed later) for users so they can authenticate from Office desktop applications such as Outlook, Lync, Word, etc., as these do not yet natively support MFA.

This article series explores MFA in Windows Azure Active Directory in general with a focus on MFA for Office 365.

What is Multi-Factor Authentication for Windows Azure Active Directory and Office 365?

MFA, in general, adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:

  • Something you know (usually a password);
  • Something you have (a trusted device that is not easily duplicated, such as a phone);
  • Something you are (biometrics, such as fingerprints).

Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn a user’s password, it is useless without also having possession of the trusted device. On the other hand, if the user loses the device, the finder of that device will not be able to use it unless he or she also knows the user’s password.

With Windows Azure MFA, users are required to acknowledge a phone call, a text message or an app notification on their smartphone after entering their password. Only after this second authentication factor has been satisfied can the user sign in. MFA can be used to provide multi-factor capabilities to all cloud applications and services hosted in Windows Azure.

MFA is available for Office 365 SKUs and administrators of a Windows Azure subscription. The following lists the various versions of MFA available and the resources that can be secured with them:

  • Multi-Factor Authentication for Office 365 – allows you to secure Office 365 resources for users licensed for Office 365 (which this article series focuses on);
  • Multi-Factor Authentication for Windows Azure Administrators – allows you to secure Windows Azure resources for administrators;
  • Windows Azure Multi-Factor Authentication – allows you to secure all Microsoft Online Services, multiple      SaaS app resources, resources that span on-premises and cloud including VPN and LOB apps.

The following table lists the various scenarios for MFA and the versions that are required to support these scenarios:

 

Office 365 with   Federated ID (ADFS)

Office 365 with no Federation (Windows Azure AD only)

SaaS application via Access Panel

On-premises Apps

Custom Apps – SDK

MFA functionality   available

Yes

Yes

Yes

Yes

Yes

Minimum Version of MFA required  

MFA for Office 365

MFA for Office 365

Windows Azure MFA

Windows Azure MFA

Windows Azure MFA

MFA available for Web client

Yes

Yes

Depends on Application

Depends on Application

Depends on Application

MFA available for Rich client

Yes (Application password)

Yes (Application password)

N/A

N/A

N/A

Table 1

To enable MFA for other applications, you can use the Windows Azure MFA service, which offers a richest set of capabilities, additional configuration options via the Windows Azure Management portal, advanced reporting, and support for a range of on-premises and cloud applications. Office 365 customers who want the additional functionality can also purchase Windows Azure MFA.

The following table shows a comparison between the various versions of MFA that are available:

 

MFA for Office 365

MFA for Windows Azure Administrators

Windows Azure MFA

Included in Windows Azure Subscription

 

Yes

 

Included in Office 365 SKUs

Yes

   

Administrators can Enable/Enforce MFA to end-users

Yes

Yes – (applies to only users who are Windows Azure Administrators)

Yes

Use Mobile app (online and One-Time Password) as second authentication factor

Yes

Yes

Yes

Use Phone call as second authentication factor

Yes

Yes

Yes

Use SMS as second authentication factor

Yes

Yes

Yes

Application passwords for non-browser clients (e.g. Outlook, Lync)

Yes

Yes

Yes

Default Microsoft greetings during authentication phone calls

Yes

Yes

Yes

Custom greetings during authentication phone calls

   

Yes

Fraud alert

   

Yes

MFA SDK

   

Yes

Security Reports

   

Yes

MFA for on-premises applications/ MFA Server

   

Yes

One-Time Bypass

   

Yes

Block/Unblock Users

   

Yes

Customizable caller ID for authentication phone calls

   

Yes

Event Confirmation

   

Yes

Table 2

MFA in Windows Azure and Office 365 provides several options for users as well as backup options in the event the user is not able to authenticate using their preferred method. These are:

  • MFA apps are available for Windows Phone, Android and iOS devices. Users download the free app and activate it using a code provided during setup. When the user signs-in, a notification is pushed to the app on their mobile device and the user taps to approve or deny the authentication request. Once the app is installed it can operate in 2 different modes:
    1. Notification: in this mode, the app prevents unauthorized access to accounts and stops fraudulent transactions. This is done using a push notification to the phone or registered device. The user checks the notification and if it is legitimate, he/she selects Verify. Otherwise, the user can chose to Cancel or even Cancel and Report Fraud if it is a fraudulent notification;
    2. One-Time Password: in this mode, the Windows Azure MFA app is used as software token to generate an OATH passcode. This passcode is then entered along with the username and password to provide the second form of authentication.
  • Automated phone calls can be placed by the MFA service to any phone, landline or mobile. The user simply answers the call and presses # on the phone keypad to complete their sign in;
  • Text messages can be sent by the MFA service to any mobile phone. The text message contains a one-time six-digit passcode. The user is prompted to either reply to the text message with the passcode or enter the passcode into the sign in screen.

Multi-Factor Authentication for Office 365

MFA for Office 365, powered by Windows Azure MFA, works exclusively with Microsoft Office 365 applications at no additional cost and is managed from the Office 365 portal. As per the table above, it offers the following subset of Windows Azure MFA capabilities:

  • Ability to enable and enforce MFA for end users;
  • Use of a mobile app (online and one-time password [OTP]) as a second authentication factor;
  • Use of a phone call as a second authentication factor;
  • Use of an SMS message as a second authentication factor;
  • Application passwords for non-browser clients (for example, Outlook and Lync);
  • Default Microsoft greetings during authentication phone calls.

The following is a list of steps that we will be following in this article series to get started with Office 365 MFA:

  1. Enable MFA for end user(s): first we need to enable MFA for one or more Office 365 users;
  2. Send e-mail to end users to notify them about MFA: next, we send users an e-mail notifying them about MFA;
  3. Have a user sign-in and complete the registration process: once we have enabled the account(s) for MFA, users can sign-in and complete the registration process;
  4. Configure app passwords for non-browser apps: after the registration process has been completed, users can setup application passwords for non-browser apps such as Outlook or Lync. This is required because these apps do not natively support MFA and users will be unable to use them unless an app password is configured.

 

Enabling Multi-Factor Authentication for Office 365 users

Enabling MFA for Office 365 users can be done using either the Windows Azure Management Portal or the Office 365 portal (which we will be using).

User accounts have the following three distinct states when it comes to MFA:

State

Description

Notes

Disabled

The default state for a new user not enrolled in MFA

  • The user is currently not using MFA;
  • Non-browser apps are not affected.

Enabled

The user has been enrolled in MFA

  • The user is enabled but has not completed the registration process. They will be prompted to complete the process at next sign-in;
  • Non-browser apps are not affected. They will continue to work with the current credentials until the registration process is complete.

Enforced

The user has been enrolled and has completed the registration process for using MFA

  • Non-browser apps will not work until app passwords are created and entered into the non-browser apps.

Table 1

Please note that once MFA is enabled for a user, that user must complete the auto-enrollment. This will occur the first time the user signs in after the account has been enabled for MFA. Until then, MFA will not be enabled on the account.

To enable MFA for an Office 365 user account using the Office 365 portal, follow these steps:

  1. Sign-in to the Office 365 Portal;
  2. Navigate to the Office 365 admin center;
  3. Select users and groups;
  4. Next to Set Multi-Factor authentication requirements click Set up:

Image
Figure 1

  1. Find the user(s) that you wish to enable for MFA. Ensure that the user’s MFA Status is Disabled and place a check in the box next to their name:

Image
Figure 2

  1. This will bring up two options on the right: Enable and Manage user settings. Click Enable. This will bring up a pop-up that will specify the next steps we need to take. Click enable multi-factor auth:

Image
Figure 3

Send e-mail to end users to notify them about MFA

Once users have been enabled for MFA, it is recommended to send them an e-mail informing them that they will need to provide their contact information. The following is a Microsoft’s e-mail template that can be used which includes a link to a video that the users can watch:

Subject: ACTION REQUIRED: Your password for Outlook and other apps needs updated

Body:

For added security, we have enabled Multi-Factor Authentication (MFA) for your account.

Action Required: You will need to complete the enrollment steps below to make your account secure with multi-factor authentication.

What to expect once MFA is enabled:

Multi-factor authentication requires a password that you know and a phone that you have in order to sign into browser applications and to access the Office 365 portal.

For Office 365 non-browser applications such as Outlook, Lync, a mail client on your mobile device etc, a special password called an app password is required instead of your account password to sign in. App passwords are different than your account password, and are generated during the multi-factor authentication set up process.

Please follow these enrollment steps to avoid interruption of your Office 365 service:

  1. Sign in to the Office 365 Portal at http://portal.microsoftonline.com;
  2. Follow the instructions to set up your preferred multi-factor authentication method when signing into Office 365 using a web browser;
  3. Create one app password for each device;
  4. Enter the same app password in all applicable apps on that device e.g. Outlook, Mail client, Lync, Word, Powerpoint, Excel, CRM etc.;
  5. Update your Office client applications or other mobile applications to use an app password.

Watch a video showing these steps at http://g.microsoftonline.com/1AX00en/175.

Best Regards,

Your Administrator

Signing in for the first time using MFA

Now that our user has been enabled for MFA, let us see what the user experience is when logging in for the first time after MFA has been enabled. To start off with, we will be using the Mobile App as the contact method, and in the next article a mobile phone using text messages.

Using Mobile App as the contact method

The following are the steps users will need to go through when setting up MFA to use their mobile phone app as the contact method.

First, we need to download and install the MFA app, which is available for Windows Phone, Android, and iOS. To ensure you are downloading the correct mobile app, use the links above and look for the following logo:

Image
Figure 4

Once the mobile app has been installed, follow these steps:

  1. Sign-in to the Office 365 Portal;
  2. In the MFA message window, select Set it up now:

Image
Figure 5

  1. Select Mobile app from the drop-down list and then click configure:

Image
Figure 6

  1. Now we need to follow the instructions on the Configure mobile app page:

Image
Figure 7

  1. On the phone that has the MFA app installed, launch the app;
  1. The first time we start the app, we need to accept the terms and conditions:

Image
Figure 8

  1. Click I Agree;
  2. Next, click ok to turn on push notifications (required for MFA):

Image
Figure 9

  1. Click the “+” sign to add a new account:

Image
Figure 10

  1. Click on the barcode icon at the bottom to launch the camera and scan the barcode provided previously with the phone’s camera:

Image
Figure 11

  1. If you are unable to scan the bar code, you can enter the Code and URL manually. Simply enter these from the configure app screen into the Code and URL boxes on the MFA app;
  2. If you receive the following error, it is likely that your Office 365 portal browser session timed-out:

Image
Figure 12

  1. If all goes well, a 6 digit code should be displayed:

Image
Figure 13

  1. Once you see this, click done on the Configure mobile app screen (in the browser);
  2. This will start an activation status check. Once this completes, the screen should say Mobile app has been configured:

Image
Figure 14

  1. Click next;
  2. In the additional security verification page, click the verify now button:

Image
Figure 15

  1. This will initiate a notification to the mobile phone:

Image
Figure 16

  1. On the mobile phone, once you receive the notification, click Verify:

Image
Figure 17

  1. It should now say that we have successfully completed the sign in. Click Close:

Image
Figure 18

  1. At this point, your verification should be successful:

Image
Figure 19

  1. Click next;
  2. Now we need to enter a mobile phone number in case we lose access to the mobile app:

Image
Figure 20

  1. Specify the country from the drop-down list;
  2. Enter the mobile phone number in the box next to country;
  3. Click next;
  4. At this point, we have setup our contact method. Now it is time to setup app passwords for non-browser apps such as Outlook (these are explained in more detail in the next article). Click generate app password:

Image
Figure 21

  1. This will bring up a password for your non-browser app. This password can be used, for example, when configuring Outlook to connect to our Office 365 mailbox:

Image
Figure 22

  1. If you need additional app passwords, click i’ll need more app passwords. Otherwise, click done.

Now, when the user authenticates into the Office 365 portal, a notification is automatically sent to the mobile device:

Image
Figure 23

As soon as the user clicks on Verify, he/she will be logged into the Office 365 portal:

Image
Figure 24

Of all the MFA options available, this is by far my favorite as it does not require manually entering codes or anything like that as we shall see. It is simple and easy!

In a previous screenshot, during the initial setup we saw the One-Time Password (step 13). This is not used in the method above, but on another method also available, called Show one-time code in app:

Image
Figure 25

When this method is used, the user will be asked for a code when trying to log into the Office 365 portal:

Image
Figure 26

The code required is a 6-digit code generated by the app. A new code is generated every 25 seconds, and the user has to type it into the Enter your verification code text box above within the time left as shows by the progress bar below the Check for Auth title:

Image
Figure 27

This method is known as one-time password as each code can only be used once.

As you can see, this method is a bit more laborious than the previous one, but still one of the most common methods used (such as in banking for example).

Using Mobile Phone as the contact method

Another option is for users to set MFA to use their mobile phone for either a call or text as the contact method.

Using the same initial steps as before:

  1. Select Mobile phone from the drop-down:
  2. Specify the country from the drop-down;
  3. Enter the mobile phone number in the box next to country.
  4. Select the mode you would prefer to use with your mobile phone (in this case we will use text messages):
    • Text – select the Send  me a code by text message radio button (selected by default);
    • Call – select the Call  me radio button.

Image
Figure 1

  1. Click next;
  2. Click the verify now button:

Image
Figure 2

  1. A 6 digit code is texted to the mobile phone:

Image
Figure 3

  1. Enter this code in the box that is displayed in the browser and click verify:

Image
Figure 4

  1. At this point, the verification should be successful. Click next:

Image
Figure 5

Now, when the user authenticates into the Office 365 portal, he/she will be automatically sent a code to the mobile device which needs to be entered in the Enter your verification code text box:

Image
Figure 6

App Passwords in Multi-Factor Authentication for Office 365

As explored in the previous sections, users who are enrolled for MFA are required to configure App Passwords in order to use Office desktop applications, including Outlook, Lync, Word, Excel, PowerPoint, and SkyDrive Pro. This is because these applications do not yet natively support multi-factor authentication.

Once users have logged in with MFA, they will be able to create one or more App Passwords for use in Office client applications. An App Password is a 16-character randomly generated password that can be used with an Office client application as a way of increasing security as an alternative to the second authentication factor.

After we have created an App Password for an Office desktop application, such as Outlook, it is indicated in a list in the user’s account. Below, we can “see” the initial app password we generated during the initial setup (in the second article) as well as a few more generated afterwards:

Image
Figure 7

Once generated, we are not able to check what the password is. As such, make sure you use it immediately when you generate it. Obviously it is not recommended to write these passwords down as that would weaken their security purpose.

Note that App Passwords are not available for use with PowerShell access to Office 365.

App Passwords can be turned off entirely for the Office 365 tenant for customers who have special security policies. This prevents users from creating app passwords for use in non-browser apps, thus only giving them access to Office 365 through the portal.

Use the following procedure to disable app password usage (remember that this will affect all Office 365 users that are enabled for MFA and that these users will be unable to use non-browser applications):

  1. Sign-in to the Office 365 Portal;
  2. Navigate to the Office 365 admin center;
  3. Select users and groups;
  4. Next to Set Multi-Factor authentication requirements click Set up;
  5. On the multi-factor authentication page, click Service Settings;
  6. Under app passwords, select the radio button next to Do not allow use of app passwords (users enabled for multi-factor auth will not be able to sign in to non-browser applications):

Image
Figure 8

  1. Click save;
  2. Once the update applies, click close.
 
 

Changing Users’ Multi-Factor Authentication Settings

Once users have configured their MFA settings, these can easily be changed or updated by following the steps below:

  1. Log on to the Office 365 portal;
  2. At the top, click the icon that looks like a little cog. This will display a drop-down list with the Office 365 settings      option:

Image
Figure 9

  1. Click on Office 365 settings. This will open the settings page;
  2. On the left pane, click additional security verification;
  3. On the right, click Update my phone numbers used for account security:

Image
Figure 10

  1. This will open the additional security verification section where users can update their MFA settings such as update the MFA method used and telephone numbers:

Image
Figure 11

  1. Or generate additional app passwords:

Image
Figure 12

What if a user loses his smartphone?

Office 365 MFA provides alternative methods of authentication in case the user is unable to use the default one. For example, if the user’s primary method is the mobile app, he/she can configure a second mobile phone (or a desk phone) to receive a text message or phone call in case he/she does not have access to the app (because the phone was left at home, got stolen, etc.).

When a user is trying to login to Office 365 and they are not able to use their primary authentication mechanism, they can click on Use a different verification option:

Image
Figure 13

This will allow them to select any of the following alternative options:

Image
Figure 14

However, if the mobile phone configured is the same as the one where the app is installed (that the user currently does not have), then the only option is to call Service Desk so that MFA can be temporarily disabled for the user.

As such, it is recommended to configure at least one alternative authentication method. This can be a second mobile phone or even a desk phone if the user has one:

Image
Figure 15

What’s Next?

Microsoft continues to invest in multi-factor authentication scenarios, including Office client integration and smart card certificates. This release of MFA does not include a second factor of authentication for Office desktop applications such as Outlook, Lync, Word, Excel, PowerPoint, PowerShell and OneDrive. However, as mentioned, users who have been enrolled for MFA currently have an alternative: they can use App Passwords to log in to Office client applications with a higher level of security than a user-selected password.

Soon Office 365 customers will be able to use MFA directly from Office 2013 client applications. Microsoft is planning to add native MFA for applications such as Outlook, Lync, Word, Excel, PowerPoint, PowerShell and OneDrive for Business, with a release date planned for later in 2014. This update is planned to include the current phone-based MFA and add capability to integrate other forms of authentication such as third-party MFA solutions and smart cards.

Sources: http://www.msexchange.org/kbase/ExchangeServerTips/MicrosoftOffice365/ExchangeOnline/office-365-multi-factor-authentication.html

http://www.msexchange.org/articles-tutorials/office-365/exchange-online/office-365-multi-factor-authentication-part3.html

Published: 7/8/2014 17:41
]]>