Tuesday, May 14, 2019

Installing Multi-Factor Authentication for your Office 365 Users

Understanding MFA

In today's world passwords and pin numbers are simply not enough and muti-factor authentication (MFA) is increasingly required to combat fraud. MFA means that you need to use a secondary form of authentication, such as an app on your phone, in addition to a password when signing into systems. 

These instructions walk you through the process of setting up MFA for a user. You may need them if your user switches phones or has to have MFA disabled and re-enabled.

In the Admin Portal

While technically you could skip this step and go directly to the console via its url, it's probably easier for most people to find their way from the Admin portal, so that's where I'll start.
  1. Open the Office 365 Admin Portal. (https://admin.microsoft.com/)
  2. Click on Users, then on Active Users
  3. Click on the dots at the end of the menu and choose Setup Multifactor Authentication.
  4. This will take you to the MFA console. 

In the MFA console

  1. Click on the Magnifying Glass icon to search for the user you want to modify.
  2. Type their name in and press enter
  3. Click on their name to open a panel to the right.
  4. In the panel, click on the link marked Enable
  5. Click on the button marked Enable Muti-factor auth.
  6. If you're new to multi-factor authentication, Microsoft encourages you to read this guide
  7. It will take a few seconds then dialog box can be closed.

Note: there's a handy link marked manage user settings that will appear once MFA is enabled. It lets you push the following settings to users;
    • Require selected users to provide contact methods again
    • Delete all existing app passwords generated by the selected users
    • Restore multi-factor authentication on all remembered devices 

Adding the App

Your users should now install the Microsoft Authenticator App on their phones. It can be accessed via the Apple App store or the Google Play store.
Sometimes, the easiest way to help your users get the app is to send them to this page.
Once the Microsoft Authenticator app has been downloaded and installed;
Open it
  • Choose Add Account (you might have to push the three dot menu in the top right corner to get this option).
  • Choose Work or School Account
  • You'll be prompted to scan a QR Code. 

The QR Code

You should send your users this link: https://aka.ms/MFASetup via Email.
  • They'll be prompted to add secondary information, such as a backup email address and mobile number. 
  • They'll also have a QR Code displayed on their computer screen. 
  • If they point their phone with the Microsoft Authenticator message on it, at the computer screen, it will scan it in and connect. 

Finalising

The QR Code will activate the app on your phone, this takes a few moments (under a minute) and then it will do a test. You'll need to watch your phone and push Approve when the message appears.
From here on, the user will be prompted to approve the sign-in on their phone when they login to Office 365. Since the authenticator app isn't tied to a phone number, it will work on Wi-Fi overseas. 

Helping with Setup

If your user experience issues with the setup process and you have their device, you can do this via the Azure Portal.
  1. Go to the Azure Portal 
  2. Search and Locate your User under Users, All Users, Profile
  3. Under Authentication Contact Info, click the link marked Manage your other authentication contact information in your Access Panel Profile
  4. In the Access Panel Profile screen, click edit Security Info
  5. If you see any authenticator settings already on this screen, you may want to delete them (there's a warning but it's okay) -- this will clear any old authenticator information. 
  6. Click Add Security Info
  7. Choose Authenticator App
  8. The QR Code will be displayed and you'll be able to use the authenticator app on the user's device to scan it.