As security regulations tighten, the traditional username and password is out and multi-factor authentication is...
in -- but first, Office 365 shops must learn the nuances of MFA management.
Multi-factor authentication (MFA) grants access to users with a password or a PIN, a security token or a device, or DNA information, such as a fingerprint. The layered approach that MFA takes enables a higher level of protection against data breaches that traditional username and password combinations cannot provide. Microsoft offers a few different ways to take advantage of multi-factor authentication for Office 365.
There are three ways IT departments can use multi-factor authentication for Office 365. An Office 365 subscription comes with free support for MFA on Office 365 apps. Azure Active Directory (AD) global administrators can also take advantage of a free version of MFA. Lastly, admins can use Azure Multi-Factor Authentication for additional functionality over the built-in Office 365 MFA, but it requires an Azure AD Premium license or a Microsoft Enterprise Mobility + Security license.
When an Azure AD user is enabled for MFA, he or she can use app passwords by default. This means that they can use applications that do support MFA, as well as those that do not. Users can approve or deny authorization requests directly from trusted mobile devices using the Authenticator app, which shortens the approval process and makes MFA even more accessible.
Administrators can both enable and enforce MFA for a user. When admins enforce multi-factor authentication for Office 365, they require users to register and configure their MFA setup through Microsoft's authorization sign-on platform. Users must also use app passwords for applications that do not support MFA, unless the administrator disallowed the use of passwords.
When and how to skip MFA
Sometimes, IT might want to implement a policy that doesn't require MFA. For example, an administrator could skip MFA if the organization is within its security boundaries on the trusted network location. This conditional access feature is only available as part of Azure Multi-Factor Authentication, however.
To use this feature, reconfigure the multi-factor authentication for Office 365 through the Azure portal from the conditional access panel.
- For managed and federated users: Select for requests from a specific range of public IPs, and then specify the IP address ranges of the organization. Using the Classless Inter-Domain Routing format, specify the public IP blocks of the organization, not the local private IP addresses. Admins can also specify a single public IP address for locations such as branch offices.
- For federated users: Select for requests from federated users originating from my intranet and configure the following Active Directory Federation Services (AD FS) claim: c:[Type== "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork"] => issue(claim = c);
Using multi-factor authentication for Office 365, administrators can also enable the systems to remember trusted devices. On those devices, the refresh token expires after a certain number of days, requiring apps to reauthenticate. Browsers will receive a cookie that prevents repetitive MFA prompts within the same browser session. The default period for this setting doesn't require apps to reauthenticate using MFA for 14 days.
It's convenient to enable this feature, but it has security implications. When administrators need to void all remembered logons on trusted devices for a user -- if the device is lost, for example -- they must go to the MFA management page and select restore multi-factor authentication on all remembered devices for that user.
Get granular with application access management
Conditional access can go one step further to grant more granular access control. With application access management, administrators can grant or block access to users and applications based on:
- the specific authenticating user or the group membership of that user;
- the cloud application that the user accesses, such as Office 365 Exchange Online or Microsoft Teams;
- conditions such as the device location -- for instance, a trusted network -- a particular operating system or device, or whether the user uses an app or browser; and
- access requirements such as MFA, device policy compliance, Azure AD joined devices or use of an approved client app.
Once the administrator configures conditional access and the user is required to use multi-factor authentication for Office 365 to access Exchange Online, for example, the system will prompt the user to set it up -- regardless of the user's MFA settings, which lowers the administrative burden.
The last and most granular option to enforce MFA in Office 365 is to use AD FS. Conditional access can allow or block access using a predefined set of apps or clients, but AD FS enables administrators to grant access by constructing claims based on the product or browser version.
Recently, Microsoft announced support for Hybrid Modern Authentication for organizations that run Exchange on premises. This capability enables those organizations to enjoy the same benefits and management capabilities of modern authentication as mailboxes that reside in Office 365, including MFA and conditional access.