Chapter 11
IN THIS CHAPTER
Applying best practices for deploying multi-factor authentication (MFA)
Setting up and managing MFA
Walking the MFA highway in the end user’s shoes
“Have you tried turning it off and on again?”
As an IT admin, you most likely have uttered those words at some point while providing support for your end users. I know I have. In fact, I have been at the other end of a support call with an irate customer who was very unhappy with the “broken” printer we delivered because it only worked for one day. After trying several troubleshooting steps, including flicking the switch on and off, it occurred to me to ask the customer to check if the printer was plugged in. It was not. Someone had unplugged it while rearranging the workstation and forgotten to plug it back in.
In today’s threat landscape, we can only hope that the support calls we get are as simple to fix as turning a device of and on again. The harsh reality is that IT admins today need to be prepared to support a user whose device or identity has been hacked. Only when an IT admin operates with the mindset of assumed breach will an organization be best positioned to minimize security risks.
Microsoft 365 Business has built-in security features including multi-factor authentication (MFA), which greatly enhances an organization’s security posture. Although industry experts recommend enabling this feature as a security best practice, some IT admins are hesitant to turn on this feature. I can understand why. I have seen MFA implementations in which the IT team bore the brunt of the backlash from unhappy end users who had trouble logging in from a poorly planned rollout.
In this chapter, you explore the security capabilities of MFA, understand how to plan its implementation for the best end-user experience, step through the MFA tasks an IT admin needs to perform, and experience MFA from the lens of an end user.
Although the phrase “multi-factor authentication” may not be something that comes up in your everyday water-cooler conversations, the concept has been around for a while and is widely adopted without people even knowing it.
Multi-factor authentication (MFA) is the process by which a user confirms his or her identity by presenting at least two forms of proof before being granted access to online or electronic resources.
If you’ve ever used an ATM where you had to provide your card number plus a PIN, you’ve used MFA. If your end users have used Facebook or Gmail, they most likely have also encountered MFA, especially if they’ve signed on to those services from a new or unknown location. With that background, you can take advantage of your end users’ prior experience with MFA to successfully implement this security feature in your organization.
In this chapter, I cover the implementation of MFA only for users whose identities are managed in the cloud through Azure Active Directory (AAD). To avoid confusion, however, I go into a little more detail on the different versions of MFA because not all features in the full version of MFA are available in Office 365 and, ultimately, Microsoft 365 Business.
Three versions of multi-factor authentication are available:
http://portal.azure.com
and create an Azure Active Directory tenant and pay for the standalone service without purchasing a Microsoft 365 Business license.Anyone with global admin privileges in the Microsoft 365 tenant needs to have MFA enabled. That’s because a breach of a user with admin privileges opens the door for hackers to do anything they want in your tenant.
For end users with no admin privileges, MFA should still be enabled because passwords are no longer enough. As described in the preceding chapter, hackers can obtain a user’s password in several ways.
Enforcing MFA for global admins with a systems engineering background is usually not a big deal. But when you roll out a new process for end users, you can sow a lot of confusion and end up with a bad user experience if you don’t see things from a non-IT person’s perspective. I know of an implementation that ended up badly for the IT admin because the end user negatively affected was an executive. I hope that the following best practices will keep you from experiencing that nightmare:
Generally, people don’t object to providing second-factor authentication when using ATM machines to withdraw cash. Train end users that their identities are just as valuable as the cash in their bank accounts and, as a result, the same security precautions should be followed.
Microsoft processes billions of authentications monthly and the cloud intelligence they gather from such a scale allows them to detect and block tens of millions of attacks every day. As new types of attacks are detected in various parts of the world, Microsoft’s systems automatically protect customers, such as those in your organization. For organizations that have implemented risk policies, Microsoft has seen compromises reduced by 96 percent. For those who implement MFA specifically, they see a 99.9 percent risk reduction. If you have any doubt as to whether you should embrace MFA, I hope those statistics are convincing.
By default, Microsoft 365 Business tenants are enabled for modern authentication, a protocol required for MFA. If you’re running a version of Office older than Office 2016 or have users who check email using Apple Mail, however, end users will need to create MFA app passwords because those legacy systems do not support two-step verification. You step through creating app passwords in the next section.
To configure MFA service settings, follow these steps:
Log in to Microsoft 365 Admin Center at http://admin.microsoft.com
.
You need your Microsoft 365 Global Admin credentials.
On the left, Under Users, click Active Users.
The Active Users page is displayed.
Click the More Settings icon (…) and then select Setup Multifactor Authentication from the drop-down menu that appears, as shown in Figure 11-1.
The Users tab of the Multi-Factor Authentication page appears.
Click Service Settings.
The Service Settings page appears, as shown in Figure 11-2.
Ensure that the options appropriate for your organization are selected, and then click the Save button.
The system saves the changes and displays a validation window to confirm that the updates were successful.
From the Updates Successful window, click the Close button.
The validation window disappears, and the Service Settings page is displayed.
To enable MFA for a user licensed for Microsoft 365 Business:
Log in to Microsoft 365 Admin Center at http://admin.microsoft.com
.
You need your Microsoft 365 Global Admin credentials.
From the left menu, Under Users, click Active Users.
The Active Users page appears.
Click the More Settings icon (…) and then select Setup Multifactor Authentication from the drop-down menu that appears
The Users tab of the Multi-Factor Authentication page appears.
In the list of users, select the box to the left of the user you want to enable for MFA.
The right pane displays additional information about the user and actions you can take for the user.
On the right pane below the end user’s contact information, click Enable, as shown in Figure 11-3.
The system displays a validation window to confirm your intent to enable MFA for the user.
Click the Enable Multi-Factor Auth button.
The system processes the changes and displays the Updates Successful window.
Click the Close button.
The Users tab of the Multi-Factor Authentication page is displayed.
You’ve done your due diligence and have communicated that MFA will be implemented in your organization. It’s now time for your end users to do their part.
The first step an end user needs to take is to register other methods for authentication. It is not enough that an end user is enabled for MFA; the end user also needs to complete the registration process. Here’s the fastest way for an end user to register for MFA:
Navigate to https://aka.ms/proofup
.
The sign-in page is displayed.
Enter your username and click Next.
The Enter Password window appears.
Enter your password and click the Sign In button.
The More Information Is Required window is displayed.
Click the Next button.
The Additional Security Verification page is displayed.
Choose the appropriate option under Step 1, as shown in Figure 11-4.
To follow along with the example, choose Mobile App.
Select Use Verification Code under How Do You Want To Use the Mobile App? section, and then click the Set Up button.
The Configure Mobile App window appears, as shown in Figure 11-5.
Follow the instructions and then click the Next button.
In this example, I am using the Microsoft Authenticator app. After the app displays the six-digit code, the system displays the Verifying App window and a notification appears on the Authenticator app asking me to Approve or Deny the sign-in request.
On your mobile device, in the Authenticator app, tap Approve, as shown in Figure 11-6.
The Additional Security Verification page appears.
Click the Save button.
The system processes the changes and then displays the Updates Successful window.
Click the Close button.
The user’s Account page appears.
It happens. No matter how much you empower your end users to self-serve, they’ll invariably reach out to you for help with requests related to MFA. Or you may need to take action to mitigate a risk from a compromised device.
You manage user settings for MFA in the same location that you enabled MFA: the Multi-Factor Authentication page.
To get to the page, follow Steps 1 through 3 in the preceding section. But wait, there’s a shortcut! You can reach the same destination by simply navigating to the following link: https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx
.
From the Users tab of the Multi-Factor Authentication page, note the three statuses in the Multi-Factor Auth Status column:
If for some reason you need to remove the MFA feature for a user, select the enabled user from the list, and then click Disable under Quick Steps in the right pane.
If an enabled user’s device is compromised, click Manage User Settings under Quick Steps in the right pane. In the Manage User Settings window that appears, select one or more options, as shown in Figure 11-7. Then click the Save button.