Export (0) Print
Expand All

Multi-Factor Authentication for Office 365

Published: May 20, 2013

Updated: February 10, 2014

Multi-Factor Authentication for Office 365, powered by Azure Multi-Factor Authentication, works exclusively with Microsoft Office 365 applications at no additional cost and is managed from the Office 365 portal. Multi-Factor Authentication for Office 365 offers the following subset of Azure Multi-Factor Authentication capabilities:

  • Ability to enable and enforce multi-factor authentication for end users

  • Use of a mobile app (online and one-time password [OTP]) as a second authentication factor

  • Use of a phone call as a second authentication factor

  • Use of an SMS message as a second authentication factor

  • Application passwords for non-browser clients (for example, Microsoft Outlook messaging and collaboration client and Microsoft Lync communications software)

  • Default Microsoft greetings during authentication phone calls

This document covers the following topics:

You can enable Multi-Factor Authentication for Office 365 by using the Azure Management Portal or the Office 365 portal.

ImportantImportant
If you want to use only Multi-Factor Authentication for Office 365, do not create a Multi-Factor Authentication provider in the Azure Management Portal and link it to a directory. Doing so will take you from Multi-Factor Authentication for Office 365 to the paid version of Multi-Factor Authentication.

To enable Multi-Factor Authentication for Office 365 for a user account by using the Office 365 portal, use the following procedure.

  1. Sign-in to the Office 365 Portal.

  2. Navigate to the Office 365 admin center

  3. Select users and groups

  4. Next to Set Multi-Factor authentication requirements click Set up.

    Basic MFA for Office 365 1

  5. Find the user that you wish to enable for multi-factor authentication. You may need to change the view at the top. Ensure that the user’s status is disabled and place a check in the box next to their name.

    Basic MFA for Office 365 2

  6. This will bring up two options on the right, Enable and Manage user settings. Click Enable. This will bring up a pop-up that will specify the next steps you need to take with your users. Click enable multi-factor auth.

  7. Once you have enabled your users, we recommend that you send your users an email that informs them how they can use their non-browser apps such as Outlook and Lync. You can use the email template located here as an example.

The following is a checklist of steps that you can use to get going with Multi-Factor Authentication for Office 365.

 

Step

Description

Link

1. Enable Multi-Factor Authentication on your users

First, you need to enable multi-factor authentication on your Office 365 users.

To enable Multi-Factor Authentication on your Office 365 users see Enable multi-factor authentication for a user account

2. Send email to end users to notify them about MFA.

Next, send your users an email that notifies them about multi-factor authentication and how to continue using their non-browser apps.

For an example email template see Email Template for Enabled Users.

3. Have a user sign-in and complete the registration process.

Once you have enabled the account for multi-factor authentication, your Office 365 users can sign-in and complete the registration process.

To sign-in the first time and complete the registration process see Signing in for the first time using Azure Multi-Factor Authentication

4. Configure app passwords for non-browser apps (such as …Outlook etc.).

After the registration process has been completed, users can setup application passwords for non-browser apps (such as …Outlook etc.). This is required because the non-browser apps (such as …Outlook etc.) do not support multi-factor authentication and you will be unable to use them unless an app password is configured.

To configure app passwords see App Passwords with Azure Multi-Factor Authentication

In some cases, you may want to prevent your users from having the ability to create app passwords for use in non-browser apps. Use the following procedure to disable app password usage. Please be aware that this will affect all of your Office 365 users that are enabled for multi-factor authentication and that these users will be unable to use non-browser applications.

  1. Sign-in to the Office 365 Portal.

  2. Navigate to the Office 365 admin center

  3. Select users and groups

  4. Next to Set Multi-Factor authentication requirements click Set up.

  5. On the multi-factor authentication page, click Service Settings.

  6. Under app passwords, select the radio button next to Do not allow use of app passwords (users enabled for multi-factor auth will not be able to sign in to non-browser applications)

    Disable app password in Office poratl

  7. Click Save.

  8. Once the update applies, click Close.

  9. You can now safely close the Office 365 portal.

Under certain instances, you may not have smart phone and need to setup multi-factor authentication. This can be done by selecting the office phone option from the drop-down when you first setup multi-factor authentication. Although this is titled office phone, this can be any phone that you would like to use as your second means of authentication. So for instance, if you work out of your house, you could enter that number as your office phone.

For a short video on how to set this up see: How to setup multi-factor authentication without a smart phone

Use the following procedure to setup multi-factor authentication to use the office phone option.

  1. Sign in to the Office 365 portal.

  2. You will see a message that says Your admin has required that you set up this account for additional security verification. Click Set it up now.

  3. On step 1, in the drop-down select Office phone. Select your region and enter your phone number. Click Next.

    Additional Security Verification

  4. On step 2, we need to verify the phone number we just entered so click Verify now.

  5. You will receive a phone call shortly, listen to the message and then press the # key. You can now hang up.

  6. You should now see that the verification was successful. Click Next.

    Verification Successful

  7. In step 3 you will be prompted to setup app passwords. If you are using app passwords and need to set this up see App passwords with Azure Multi-Factor Authentication

To enable multi-factor authentication for other applications, you can use the Azure Multi-Factor Authentication service, which offers a richest set of capabilities, additional configuration options via the Azure Management portal, advanced reporting, and support for a range of on-premises and cloud applications. Office 365 customers who want the additional functionality can also purchase Azure Multi-factor Authentication. The following table shows a comparison between AzureAzurethe various versions of multi-factor authentication that are available.

 

Multi-Factor Authentication for Office 365

Multi-Factor Authentication for Azure Administrators

Azure Multi-Factor Authentication

Included in Azure Subscription

Yes

Included in Office 365 SKUs

Yes

Administrators can Enable/Enforce MFA to end-users

Yes

Yes - (Applies to only users who are Azure Administrators)

Yes

Use Mobile app (online and OTP) as second authentication factor

Yes

Yes

Yes

Use Phone call as second authentication factor

Yes

Yes

Yes

Use SMS as second authentication factor

Yes

Yes

Yes

Application passwords for non-browser clients (e.g. Outlook, Lync)

Yes

Yes

Yes

Default Microsoft greetings during authentication phone calls

Yes

Yes

Yes

Custom greetings during authentication phone calls

Yes

Fraud alert

Yes

MFA SDK

Yes

Security Reports

Yes

MFA for on-premises applications/ MFA Server.

Yes

One-Time Bypass

Yes

Block/Unblock Users

Yes

Customizable caller ID for authentication phone calls

Yes

Event Confirmation

Yes

IP Whitelist

Yes

       

The following table is a checklist of steps that you can use to start using Azure Multi-Factor Authentication if you are using Office 365.

These steps assume that you have an Office 365 account. If you do not, you must first sign up for Office 365. For more information, see the Office 365 site. If you already have a Azure Active Directory (Azure AD) tenant but do not have an Office 365 subscription, you can sign in to the Office 365 portal by using your Azure AD tenant administrator account and then add a new Office 365 subscription to your Azure AD tenant.

ImportantImportant
Once the Multi-Factor Authentication subscription is enabled through the Azure portal, customers can manage Multi-Factor Authentication through the Office 365 portal. For customers who are not yet transitioned to Wave 15, administrators and users need to use the Azure portal to enable and manage Multi-Factor Authentication, as Multi-Factor Authentication controls are not enabled in the Office 365 portal for Wave 14 tenants. Please read Am I using Office 365 after the service upgrade if you are unsure.

 

Step

Description

Link

1. Sign-up for a Azure subscription.

The first step is to sign-up for a Azure subscription. If you already have a Azure subscription, skip to the next step.

To sign-up for a Azure Subscription see Azure Free Trial.

2. Create a Multi-Factor Auth Provider

In the Azure Management Portal create a Multi-Factor Auth Provider.

To create a Multi-Factor Auth Provider see Creating a Multi-Factor Auth Provider.

3. Enable multi-Factor authentication on your users

Next, you need to enable multi-factor authentication on your Office 365 users.

To enable Multi-Factor Authentication on your Office 365 users see Enable multi-factor authentication for a user account

4. Send email to end users to notify them about MFA.

Next, send your users an email that notifies them about multi-factor authentication and how to continue using their non-browser apps.

For an example email template see Email Template for Enabled Users.

5. Have a user sign-in and complete the registration process.

Once you have enabled the account for multi-factor authentication, your Office 365 users can sign-in and complete the registration process.

To sign-in the first time and complete the registration process see Signing in for the first time using Azure Multi-Factor Authentication

6. Configure app passwords for non-browser apps (such as …Outlook etc.).

After the registration process has been completed, users can setup application passwords for non-browser apps (such as …Outlook etc.). This is required because the non-browser apps (such as …Outlook etc.) do not support multi-factor authentication and you will be unable to use them unless an app password is configured.

To configure app passwords see App Passwords with Azure Multi-Factor Authentication

At this point, your Office 365 users are configured to successfully use Azure Multi-Factor Authentication.

If a user wants to change his or her Multi-Factor Authentication settings, such as use of a phone or a mobile app as a secondary authentication factor, he or she can do so. For more information, see Changing your Azure Multi-Factor Authentication Settings for Office 365 Users and Using Mobile App as your contact method.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

Show:
© 2014 Microsoft