Chapter 11

Configuring Multi-Factor Authentication

IN THIS CHAPTER

Bullet Applying best practices for deploying multi-factor authentication (MFA)

Bullet Setting up and managing MFA

Bullet Walking the MFA highway in the end user’s shoes

“Have you tried turning it off and on again?”

As an IT admin, you most likely have uttered those words at some point while providing support for your end users. I know I have. In fact, I have been at the other end of a support call with an irate customer who was very unhappy with the “broken” printer we delivered because it only worked for one day. After trying several troubleshooting steps, including flicking the switch on and off, it occurred to me to ask the customer to check if the printer was plugged in. It was not. Someone had unplugged it while rearranging the workstation and forgotten to plug it back in.

In today’s threat landscape, we can only hope that the support calls we get are as simple to fix as turning a device of and on again. The harsh reality is that IT admins today need to be prepared to support a user whose device or identity has been hacked. Only when an IT admin operates with the mindset of assumed breach will an organization be best positioned to minimize security risks.

Microsoft 365 Business has built-in security features including multi-factor authentication (MFA), which greatly enhances an organization’s security posture. Although industry experts recommend enabling this feature as a security best practice, some IT admins are hesitant to turn on this feature. I can understand why. I have seen MFA implementations in which the IT team bore the brunt of the backlash from unhappy end users who had trouble logging in from a poorly planned rollout.

In this chapter, you explore the security capabilities of MFA, understand how to plan its implementation for the best end-user experience, step through the MFA tasks an IT admin needs to perform, and experience MFA from the lens of an end user.

Getting Grounded on Authentication

Although the phrase “multi-factor authentication” may not be something that comes up in your everyday water-cooler conversations, the concept has been around for a while and is widely adopted without people even knowing it.

Multi-factor authentication (MFA) is the process by which a user confirms his or her identity by presenting at least two forms of proof before being granted access to online or electronic resources.

If you’ve ever used an ATM where you had to provide your card number plus a PIN, you’ve used MFA. If your end users have used Facebook or Gmail, they most likely have also encountered MFA, especially if they’ve signed on to those services from a new or unknown location. With that background, you can take advantage of your end users’ prior experience with MFA to successfully implement this security feature in your organization.

MFA in the Microsoft ecosystem

In this chapter, I cover the implementation of MFA only for users whose identities are managed in the cloud through Azure Active Directory (AAD). To avoid confusion, however, I go into a little more detail on the different versions of MFA because not all features in the full version of MFA are available in Office 365 and, ultimately, Microsoft 365 Business.

Three versions of multi-factor authentication are available:

  • MFA for Office 365: This version is included in Office 365, which is one of the services in Microsoft 365 Business. It allows for two forms of verification for a user to authenticate. In this chapter, I cover this version of MFA.
  • MFA for Azure Active Directory Administrators: This free version of MFA is given only to a global administrator for an Azure Active Directory tenant. Anyone can go to http://portal.azure.com and create an Azure Active Directory tenant and pay for the standalone service without purchasing a Microsoft 365 Business license.
  • Azure MFA: This full version of MFA is available when you purchase Azure Active Directory Premium licenses. Larger organizations that run an on-premises environment typically need this version because it enables both cloud and on-premises deployment. It also has robust reporting and configuration capabilities.

Best practices from the trenches

Anyone with global admin privileges in the Microsoft 365 tenant needs to have MFA enabled. That’s because a breach of a user with admin privileges opens the door for hackers to do anything they want in your tenant.

For end users with no admin privileges, MFA should still be enabled because passwords are no longer enough. As described in the preceding chapter, hackers can obtain a user’s password in several ways.

Enforcing MFA for global admins with a systems engineering background is usually not a big deal. But when you roll out a new process for end users, you can sow a lot of confusion and end up with a bad user experience if you don’t see things from a non-IT person’s perspective. I know of an implementation that ended up badly for the IT admin because the end user negatively affected was an executive. I hope that the following best practices will keep you from experiencing that nightmare:

  • Communicate the change to your organization and the reasons for the change. It’s best to get sponsorship from leaders in your organization and even better if one of the leaders communicates the change.
  • Pilot MFA to tech-savvy users first before rolling it out to the rest of the organization. Learn from the pilot and use that intelligence to form the basis of your rollout plan and communication.
  • Create a training portal replete with how-to videos using Stream, a video service that comes with your Microsoft 365 Business subscription. Try to keep your videos to a minute or less so they’re easily consumable.
  • Choose a preferred authentication factor that you think will work for at least 80 percent of your users and encourage its adoption. If you’re using MFA for Office 365, your users have four options for the second authentication factor:
    • Phone call: The end user answers the call and presses the pound (#) key to authenticate.
    • Verification code from a mobile app such as Microsoft Authenticator: The app generates a verification code every 30 seconds. The end user enters the code into the sign-in interface to authenticate.
    • Notification from a mobile app: The system sends a notification to a registered mobile device to which the end user selects Approve to authenticate. I find this method the most seamless. It does require a few minutes to set up, but the time investment is worth it in the long run. This method is especially helpful when I’m traveling internationally and don’t want to pay international roaming charges for phone call authentication. I simply use the hotel’s Wi-Fi to receive the notification in the Microsoft Authenticator app to authenticate.
    • Verification code sent in a text message: The end user needs to enter the code received via text message into the sign-in interface to authenticate.
  • Deploy the latest version of the Office desktop applications because versions older than Office 2016 require additional admin tasks to enable modern authentication required for MFA. Microsoft 365 Business comes with Office ProPlus, which is always the latest version of Office, so it’s best to standardize on that version to reduce implementation complexity.
  • Define the support and escalation model before the roll out. Make sure end users understand where to go for help if they get stuck. Obviously, you also need to ensure that your support staff is ready when you roll out MFA.

Deploying MFA

Generally, people don’t object to providing second-factor authentication when using ATM machines to withdraw cash. Train end users that their identities are just as valuable as the cash in their bank accounts and, as a result, the same security precautions should be followed.

Microsoft processes billions of authentications monthly and the cloud intelligence they gather from such a scale allows them to detect and block tens of millions of attacks every day. As new types of attacks are detected in various parts of the world, Microsoft’s systems automatically protect customers, such as those in your organization. For organizations that have implemented risk policies, Microsoft has seen compromises reduced by 96 percent. For those who implement MFA specifically, they see a 99.9 percent risk reduction. If you have any doubt as to whether you should embrace MFA, I hope those statistics are convincing.

Admin tasks for setting up MFA

By default, Microsoft 365 Business tenants are enabled for modern authentication, a protocol required for MFA. If you’re running a version of Office older than Office 2016 or have users who check email using Apple Mail, however, end users will need to create MFA app passwords because those legacy systems do not support two-step verification. You step through creating app passwords in the next section.

To configure MFA service settings, follow these steps:

  1. Log in to Microsoft 365 Admin Center at http://admin.microsoft.com.

    You need your Microsoft 365 Global Admin credentials.

  2. On the left, Under Users, click Active Users.

    The Active Users page is displayed.

  3. Click the More Settings icon (…) and then select Setup Multifactor Authentication from the drop-down menu that appears, as shown in Figure 11-1.

    The Users tab of the Multi-Factor Authentication page appears.

  4. Click Service Settings.

    The Service Settings page appears, as shown in Figure 11-2.

  5. Ensure that the options appropriate for your organization are selected, and then click the Save button.

    The system saves the changes and displays a validation window to confirm that the updates were successful.

  6. From the Updates Successful window, click the Close button.

    The validation window disappears, and the Service Settings page is displayed.

Screenshot of the Microsoft 365 admin center page for navigating to the Multifactor Authentication setup page.

FIGURE 11-1: Navigating to the Multifactor Authentication setup page.

Screenshot of the Office 365 window displaying the Multifactor Authentication Service Settings page to allow users to create app passwords.

FIGURE 11-2: The MFA Service Settings page.

Enabling end users for MFA

To enable MFA for a user licensed for Microsoft 365 Business:

  1. Log in to Microsoft 365 Admin Center at http://admin.microsoft.com.

    You need your Microsoft 365 Global Admin credentials.

  2. From the left menu, Under Users, click Active Users.

    The Active Users page appears.

  3. Click the More Settings icon (…) and then select Setup Multifactor Authentication from the drop-down menu that appears

    The Users tab of the Multi-Factor Authentication page appears.

  4. In the list of users, select the box to the left of the user you want to enable for MFA.

    The right pane displays additional information about the user and actions you can take for the user.

  5. On the right pane below the end user’s contact information, click Enable, as shown in Figure 11-3.

    The system displays a validation window to confirm your intent to enable MFA for the user.

  6. Click the Enable Multi-Factor Auth button.

    The system processes the changes and displays the Updates Successful window.

  7. Click the Close button.

    The Users tab of the Multi-Factor Authentication page is displayed.

Screenshot of the Office 365 window for enabling the multifactor authentication for only licensed users.

FIGURE 11-3: Enabling MFA for an end user.

Warning In the Service Settings page (refer to Figure 11-2) is an option to enable the Remember Multi-Factor Authentication feature. This handy feature allows end users to bypass second-factor authentications on trusted devices for a certain number of days after they’ve successfully signed in using MFA. Although this is a great experience for end users, Microsoft recommends NOT enabling this feature, and I agree. Otherwise, the device will pose a security risk if it is compromised. If you decide to enable this feature and a device is compromised, you must perform a task to restore MFA on all devices on which users have logged in with MFA. I cover this task in the “Managing MFA” section in this chapter.

Tip You can enable MFA for multiple users at the same time by selecting more than one user from the list. For large organizations, a bulk update option is available to save the IT admin from clicking thousands of users. To enable MFA for a large number of users, click the Bulk Update button, upload a file in .csv format with all the users to be enabled for MFA, and then follow the prompts to complete the process. From the same window, you can download a sample file to ensure that your .csv file follows the required format.

End-user MFA experience

You’ve done your due diligence and have communicated that MFA will be implemented in your organization. It’s now time for your end users to do their part.

The first step an end user needs to take is to register other methods for authentication. It is not enough that an end user is enabled for MFA; the end user also needs to complete the registration process. Here’s the fastest way for an end user to register for MFA:

  1. Navigate to https://aka.ms/proofup.

    The sign-in page is displayed.

  2. Enter your username and click Next.

    The Enter Password window appears.

  3. Enter your password and click the Sign In button.

    The More Information Is Required window is displayed.

  4. Click the Next button.

    The Additional Security Verification page is displayed.

  5. Choose the appropriate option under Step 1, as shown in Figure 11-4.

    To follow along with the example, choose Mobile App.

  6. Select Use Verification Code under How Do You Want To Use the Mobile App? section, and then click the Set Up button.

    The Configure Mobile App window appears, as shown in Figure 11-5.

  7. Follow the instructions and then click the Next button.

    In this example, I am using the Microsoft Authenticator app. After the app displays the six-digit code, the system displays the Verifying App window and a notification appears on the Authenticator app asking me to Approve or Deny the sign-in request.

  8. On your mobile device, in the Authenticator app, tap Approve, as shown in Figure 11-6.

    The Additional Security Verification page appears.

  9. Click the Save button.

    The system processes the changes and then displays the Updates Successful window.

  10. Click the Close button.

    The user’s Account page appears.

Screenshot of the Microsoft page displaying the steps for setting up additional security verification to secure an account.

FIGURE 11-4: Setting up additional security verification.

Screenshot displaying the steps to be followed for configuring the mobile app for multifactor authentication using the verification code.

FIGURE 11-5: Configuring the mobile app for MFA.

Screenshot of the Accounts page of a mobile app for approving the verification request from the Authenticator app.

FIGURE 11-6: Approving the verification request from the Authenticator app.

Tip If you’re like me, you don’t like reinventing the wheel. So here’s a link from Microsoft you can use in your communication email to prepare your end users for the MFA implementation: https://docs.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-user.

Managing MFA

It happens. No matter how much you empower your end users to self-serve, they’ll invariably reach out to you for help with requests related to MFA. Or you may need to take action to mitigate a risk from a compromised device.

You manage user settings for MFA in the same location that you enabled MFA: the Multi-Factor Authentication page.

To get to the page, follow Steps 1 through 3 in the preceding section. But wait, there’s a shortcut! You can reach the same destination by simply navigating to the following link: https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx.

From the Users tab of the Multi-Factor Authentication page, note the three statuses in the Multi-Factor Auth Status column:

  • Enabled: The user is enabled for MFA but has not yet completed the registration.
  • Enforced: The user is enabled for MFA and has completed the registration.
  • Disabled: The user is not enabled for MFA.

If for some reason you need to remove the MFA feature for a user, select the enabled user from the list, and then click Disable under Quick Steps in the right pane.

If an enabled user’s device is compromised, click Manage User Settings under Quick Steps in the right pane. In the Manage User Settings window that appears, select one or more options, as shown in Figure 11-7. Then click the Save button.

Screenshot of the Manage User Settings window displaying the instructions to be followed for managing the multifactor authentication user settings.

FIGURE 11-7: Managing MFA user settings.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset