2FA with Office 365 - idiot's guide?

M

Mick

Well-Known Member
Reaction score
804
Location
Cambridge, UK
I've been asked to set up 2FA for a couple of 365 hosted email accounts. One client is using stand-alone Office 2013 on their laptop, the other has Office 2016. Now, although I've enabled 2FA in quite a few situations with various bits of kit, somehow, up until now, I've never been asked to do it with 365. I was just wondering if there are any gotchas to watch out for or maybe an idiot's guide? From what I can see, you need to enable 'modern authentication' at the 365 admin UI - what does the client then need to do at their end? Not clear on that and Google isn't helping much. Just to help things along, I'm not permitted to be on-site, so anything I do needs to be able to be done remotely. I'll probably use Anydesk for that.
 
By default all tenants have security defaults enabled, which enforces 2FA on all user logins, so there's nothing to setup.

So, if you want control you have to go into the Azure tenant and disable security defaults. After that, it's all under the multi-factor button at the top of the active users list in the O365 portal. You just flag a mailbox to enable, and the user logs in on portal.office.com and it walks them through enrolling their phone. It's not hard.
 
Thanks. I think this an old 365 setup - security defaults were not enabled when I checked them. I just wanted to be sure I was telling them right next time they cranked Outlook up. I'm mostly residential, so I don't see as much of this sort of stuff as I guess you do.
 
Thanks - that's saved me an hour with Google! ;) I'll tell them about the EOL but (as for so many users) it's going to be water off a duck's back.

Client: "Does that mean it won't work?"

Me: " No, but -"

Client: "OK - well, we'll buy a new one when this one breaks."

I get a lot of this...
 
Then you get a second payday in October when it all stops working and they get to pay for the 2nd downtime.

For ethical reasons I'd point that out to them, in WRITING. Then you can enjoy your 2nd payday without any issues.
 
I'm doing a migration of a client this week and each day getting several users setup on it....for Teams, OneDrive, etc. Retiring their old on-prem server. Moving to "The Cloud"

I have clients download the Microsoft Authenticator app...ahead of time. Send out an email explaining how to do so. Saves you time on the phone, there's always a few users that have an iphone and don't know their Apple ID which is required to install from the iTunes store...so you don't want to deal with that time waster while on the phone.

Once they have that installed, you can then schedule your remote session.
Once I'm doing the phone/remote session with them, I have their 365 tenant open on my computer, I enable MFA on their account.
I remote into their computer....I then open office.com on their computers browser....username....password....and then the expected "Additional information is required" dialog box kicks in.
I prefer the "Approve/Deny" method via the Authenticator app...so I select the radio button and download menu choices for Auth app and send request to phone.
I have the user open the app, skip the backup stuff, go to add account, Work/School out of the 3 choices, allow app to access camera....hold camera up, I click next...have them grab the QR code, send the test..they approve...and then fill in the cell phone number in the next screen as the alternate method for the old fashioned text code to phone approach.

On their computer, log out of office.com, log in...test...show them the ropes.
Now close any Office apps...and open...I usually pick Word first...I have them log out of Word (if 365 sourced)...log in...username, password..approve MFA. It will also ask to manage computer, have a check in the box. Same with Teams, same with OneDrive. OneDrive sometimes slower....sometimes a reboot of the rig to settle OneDrive in.

Some computers won't adjust to it...so clear the apps logins in Credential Manager...and run through the logins again.

Now, when you're at the office.com as Admin....and you see the list of users...there's the "Manage Multifactor" box along the top. If not there...hit "refresh" when you're at the top of the users list.

I'm wanting to find out more info...but this is a "basic" MFA control. Somehow different from the MFA control when you're over in Azure Admin. You can have one say "enabled" and the other say "disabled"...and it'll be enabled.
I'm "guessing" that when you enable MFA on the Azure admin side....it allows the control within "conditional access". Such as...never ask for MFA when the request comes from <WAN IP of clients office>. Or from Azure managed devices (you know that "allow this device to be managed checkbox when you put a check in at the app sign in?"
 
YeOldeStonecat said:
I'm wanting to find out more info...but this is a "basic" MFA control. Somehow different from the MFA control when you're over in Azure Admin. You can have one say "enabled" and the other say "disabled"...and it'll be enabled.
I'm "guessing" that when you enable MFA on the Azure admin side....it allows the control within "conditional access". Such as...never ask for MFA when the request comes from <WAN IP of clients office>. Or from Azure managed devices (you know that "allow this device to be managed checkbox when you put a check in at the app sign in?"
Click to expand...

What is the end-user experience once 2FA is up and running? Do they have to enter a code each time they open Outlook? Can you do conditional access without getting Azure involved? I've been dragging my feet a bit on this until, well, I guess until I understand it better. Will it work with Google Authenticator for those folks already using that platform?
 
Conditional Access is flat not available until you have the E level subs.

You can configure how 2FA works, I always disable the ability to do app passwords, and disable SMS based auth. During the phone's enrollment you have the option of doing the code thing, or app notification. The latter is vastly more preferred, it's both easier and more secure. BUT, I do admin logins via code, at least the one I'm going to be using. Because if I click the setup without notifications link, I can configure a generic TOTP auth to work, like my Bitwarden, and have a single TOTP protected admin login that I can share with others if needed.

You CAN use that mechanism with Google auth... but why? You're typing in codes, let your user push the blasted button! It makes them immune to the most recent TOTP phishing campaigns as well as make things easier. Use MS Auth!

Apple users get to unlock their phones before they authenticate because if they don't, they lose the notification during the unlock process and get to send another push. Otherwise, user logs into 365 from anywhere as normal, app pops on their phone with accept and reject buttons. Push button on phone, login happens and off they go.
 
YeOldeStonecat said:
I'm doing a migration of a client this week and each day getting several users setup on it....for Teams, OneDrive, etc. Retiring their old on-prem server. Moving to "The Cloud"

I have clients download the Microsoft Authenticator app...ahead of time. Send out an email explaining how to do so. Saves you time on the phone, there's always a few users that have an iphone and don't know their Apple ID which is required to install from the iTunes store...so you don't want to deal with that time waster while on the phone.

Once they have that installed, you can then schedule your remote session.
Once I'm doing the phone/remote session with them, I have their 365 tenant open on my computer, I enable MFA on their account.
I remote into their computer....I then open office.com on their computers browser....username....password....and then the expected "Additional information is required" dialog box kicks in.
I prefer the "Approve/Deny" method via the Authenticator app...so I select the radio button and download menu choices for Auth app and send request to phone.
I have the user open the app, skip the backup stuff, go to add account, Work/School out of the 3 choices, allow app to access camera....hold camera up, I click next...have them grab the QR code, send the test..they approve...and then fill in the cell phone number in the next screen as the alternate method for the old fashioned text code to phone approach.

On their computer, log out of office.com, log in...test...show them the ropes.
Now close any Office apps...and open...I usually pick Word first...I have them log out of Word (if 365 sourced)...log in...username, password..approve MFA. It will also ask to manage computer, have a check in the box. Same with Teams, same with OneDrive. OneDrive sometimes slower....sometimes a reboot of the rig to settle OneDrive in.

Some computers won't adjust to it...so clear the apps logins in Credential Manager...and run through the logins again.

Now, when you're at the office.com as Admin....and you see the list of users...there's the "Manage Multifactor" box along the top. If not there...hit "refresh" when you're at the top of the users list.

I'm wanting to find out more info...but this is a "basic" MFA control. Somehow different from the MFA control when you're over in Azure Admin. You can have one say "enabled" and the other say "disabled"...and it'll be enabled.
I'm "guessing" that when you enable MFA on the Azure admin side....it allows the control within "conditional access". Such as...never ask for MFA when the request comes from <WAN IP of clients office>. Or from Azure managed devices (you know that "allow this device to be managed checkbox when you put a check in at the app sign in?"
Click to expand...
Much appreciated. I'm starting to feel quietly confident...which is always a worrying sign...
 
HCHTech said:
What is the end-user experience once 2FA is up and running? Do they have to enter a code each time they open Outlook? Can you do conditional access without getting Azure involved? I've been dragging my feet a bit on this until, well, I guess until I understand it better. Will it work with Google Authenticator for those folks already using that platform?
Click to expand...

So....when you're running through that initial setup, and you select the "authentication app" for the choice, you have that radio button choice where the top one is "notification to app" or something like that....THAT is what I choose. After that MFA wizard is completed...launch an app, or...log out of office.com and back in, and you'll see that 3rd window...after 1) username, and 2) password...the 3) will be sending notification. Your phones auth app will have a popup to "allow" or "deny". I prefer that because it is easiest...and quickest. Else, the default for the auth app is the OTP...that 6 digit number that changes every 30 seconds. I think that's harder for people to deal with...esp say, you're setting up the Outlook App on the phone, and you have to flip between screens...trying to get that 6 digit code before it changes again. When you select the "notification option" like I prefer...you just have to hit the Allow or Deny prompt on the phone.

No you do not have to deal with the MFA every time you boot up and log in. The computer will get "blessed" for a while. I think technically the answer is "it will keep the MFA token for up to 90 days" if a device stays logged in. Such as, your computer is always up and running, and say, Outlook is always left up and running. Else, if you reboot a lot or shut down frequently....I think MFA lasts for 2x weeks by default.

But here is where you can alleviate the annoyance for customers (and one of the many selling points to raise the subscription level)...Conditional Access. Now you have options in there...qualifiers....where you can say "only MFA if NOT the following"....and you can choose options such as *Managed devices (devices which joined Azure...ya know, such as that checkbox when signing a device in), or...comes from an IP of <WAN IP of office>. You can also choose what gets MFA rules...such as apps, or web only, etc.

For Office 365....yes was only included with E subs...or....if you have Biz subs but added the Azure P...err...1 or 2....OR...you had EMS either e3 or maybe E5. BUT...they are now including it in Microsoft 365 Business. So as you're clients migration from O to M..look for that to show up and use it!
 
I do notice that on some iPhones...the MS Auth app won't pop up the "allow/deny" prompt unless they go to the auth app. On Androids..it just has to be running in the background.
 
Sky-Knight said:
You CAN use that mechanism with Google auth... but why? You're typing in codes, let your user push the blasted button! It makes them immune to the most recent TOTP phishing campaigns as well as make things easier. Use MS Auth!

Apple users get to unlock their phones before they authenticate because if they don't, they lose the notification during the unlock process and get to send another push. Otherwise, user logs into 365 from anywhere as normal, app pops on their phone with accept and reject buttons. Push button on phone, login happens and off they go.
Click to expand...

I'm concluding from your answer that the MSAuth app is "active" (the app pops up with a message akin to "Allow Microsoft Outlook?" and the user just has to tap "OK") vs. the Google Authenticator app which is "passive" (user has to open the app, look for the rolling code and enter it).

My comment about the Google app was just in the interest of adding it to a process they were already familiar with as opposed to making them learn something new - but if the MS app is active as I describe above, then there is nothing to learn.

I've been on the Google Authenticator app for quite a while now, so personally, that's all I use - I must have 20 accounts in that. Now I want to try the MS app - haha.

Edit - our posts crossed @YOSC - got it. I'm going to just set this up with the MS app for my own account (which is what I should have done originally), then I'll get some first-hand experience and can talk more intelligently with clients about it.
 
Last edited:
Well - so far so good, so thanks, everyone. Two working laptops! I've now been presented with two Nokia phones that "used to get email until you...."
 
Now for a twist...
What I "don't" like about the MS Auth App is....backing it up.
Right now I have 12 accounts in it. Mostly work stuff....PAX8, N-Central, Datto, 365, Ubiquiti, Syncro, Splashtop, etc etc...and person ones too...Linkedin, my Microsoft personal account, Facebook, GMail, etc.

MS Auth didn't have a way to back it up for a while. A year ago or so, they added it. BUT....only to a Microsoft "personal" account.
While that works for me...to be honest, "most" of our clients won't be capable of wrapping their heads around MS personal vs MS Work account.
And you still gotta re-do the QR code for each one anyways..it's like the restore is half baked!

Almost makes me want to recommend some other Auth app like Duo. Get on the reseller program there.

For our clients, when I have them do the MS Auth App....if they get a new phone (like I had a client call yesterday for this)..it's easy enough to redo it. Under the Auth app settings within the users 365 account you'll see an entry for the old phone, ensure to delete that one. You'll see each device that was setup with an auth app.
 
MFA lasts for two weeks, but you can configure it to last up to two months. I always shove it to the max, the duration is in the MFA settings, which is a bit of grey text above the list of people when you're enabling MFA. It's a link, but it looks like text... so it's almost hidden.
 
Mick said:
Well - so far so good, so thanks, everyone. Two working laptops! I've now been presented with two Nokia phones that "used to get email until you...."
Click to expand...

Possibly using the native/built in email app?
I only recommend/support the MS Outlook app on the phones.
The built in native email client on iphones or androids.....it's like outlook express to me. Use the full Outlook app...just works better anyways, far less headaches, and replicates the tru Outlook experience...calendar, contacts, subfolders, accessing shared mailboxes, etc.
 
YeOldeStonecat said:
Possibly using the native/built in email app?
I only recommend/support the MS Outlook app on the phones.
The built in native email client on iphones or androids.....it's like outlook express to me. Use the full Outlook app...just works better anyways, far less headaches, and replicates the tru Outlook experience...calendar, contacts, subfolders, accessing shared mailboxes, etc.
Click to expand...
Yeah - thanks for that. Was having no luck using the Auth app with the native mail client. DL'd the Outlook app and sailed through it - thanks again.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
How is this possible? Client receiving spam emails from himself...
2
Replies
24
Views
2K
britechguy
britechguy
DanF
First non paying business customer
Replies
19
Views
1K
thecomputerguy
thecomputerguy
thecomputerguy
Office 365 Backup & MSP Sales techniques
Replies
6
Views
1K
brandonkick
B
thecomputerguy
What do you use for 2-factor authentication & Office 365?
Replies
17
Views
3K
thecomputerguy
thecomputerguy
timeshifter
Clearing free space on iMac with 3rd party SSD prior to donation
Replies
4
Views
789
Markverhyden
Markverhyden
Back
Top