As the world starts to move away from on premises solutions towards cloud based services, we need to start thinking about how we can secure our data that could potentially be visible to anyone on the internet. Previously, e-mail and collaboration services such as Sharepoint would generally only be available while you are on the corporate LAN, VPN, VDI or over a secure mobile device.

The design is shifting towards cloud based (i.e. internet facing) delivery of such services, with Office 365 from Microsoft being a particular standard bearer. By default, things are kept nice and simple in the sense that you have a username and password and that’s it. However, should this password be compromised, either via a hack or via a brute force password attack, all bets are off in terms of access to the likes of e-mail, Sharepoint etc.

Enter Multi-Factor Authentication (MFA). What this does is introduce another step into the authorisation chain. One example in the consumer world is the PINsentry from Barclays Bank. I have a user ID, passcode and then I need my Barclays debit card and a PINsentry device to generate a one time passcode to act as the final layer of authentication. This way, even if my username and passcode is compromised, without my Barclays card and PINsentry, access is not permitted.

Moving back to Office 365, Microsoft defines MFA as the following:-

“Multi-factor authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:

  • Something you know (typically a password)
  • Something you have (a trusted device that is not easily duplicated, like a phone)
  • Something you are (biometrics)”

Note above that Microsoft’s definition shows that MFA needn’t be just a username, password and OTP (One Time Passcode) generated by an authentication application. It can also include biometrics such as finger scanners, or smart cards. It really just depends on how sensitive your data is, how many layers you want to put in place and probably most importantly, deciding on how you balance all these layers of security with the time and inconvenience to the end user.

In this particular example, we just need to add a OTP capability to Office 365. In basic terms, this involves enabling a user for MFA, downloading the Authenticator mobile application from the respective App Store and then the user can configure their own account from here, the next time they login. It’s worth noting during the planning stage that introducing MFA to Office 365 results in the creation of an “application password”. This is a randomly generated string created by Microsoft when MFA is enabled.

This is required because MFA is only supported on web based applications, such as Word or Excel Online. For traditional Windows desktop based applications such as Outlook, you will need to enter this application password in order to continue your send/recieve activity as before. Please also remember that when you are shown your application password (and this applies to all Office applications), you are only shown this value once. Make a note of this and store it in a safe place. If it is lost, you can generate a new one, but this is more inconvienience for the end user.

Finally, one of the really useful things about MFA for Office 365 from an administrator’s perspective is that this can be enabled and rolled out on a per user basis, meaning you can phase the rollout of this instead of going for a “big bang” approach. This way, you can ensure that all issues are resolved quickly and the Service Desk is not overwhelmed with tickets if you have a large installed user base.

For further details on enabling and configuring MFA on Office 365, please follow the links below:-

Plan for multi-factor authentication for Office 365 Deployments


Set up multi-factor authentication for Office 365


Multi-Factor Authentication for Office 365