What do you use for 2-factor authentication & Office 365?

[thecomputerguy]

I have a client whose account was recently compromised and he decided that he wanted to get 2FA (also known as MFA) going for his Office 365 accounts consisting of E3, Essentials & Business Premium. Initially I thought OK no problem I'm pretty positive MS has 2FA buillt-in and I just need to get it configured.

So I enable 2FA for his account to test. We login to through portal.office.com and setup 2FA with his cell phone via text message.

I assumed that any device moving forward the attempted to login to his account would trigger a 2FA text to his cell phone. Nope, all of his devices stopped recieving mail altogether without any 2FA prompt.

Turns out, Even though they use O365 and Office 2019 Outlook is only working if I set it up with the app password that is created when 2FA is enabled for the user which is absolutely DISGUSTING to have to work with.

Is there any way to make this work like gmail so that when a login is attempted you just need to verify its you via text? Or is there some other way to do 2FA with O365? It seems like it should be so easy to setup and it's just ... not.

The client mentioned that one of his clients uses a service called duo.com

 

[SAFCasper]

You may have to enable "Modern Authentication" in Office 365

Connect to Exchange Online with PowerShell and run
Get-OrganizationConfig | ft OAuth2ClientProfileEnabled

If the above command returns False, you need to run
Set-OrganizationConfig -OAuth2ClientProfileEnabled $True

https://docs.microsoft.com/en-us/ex...able-modern-authentication-in-exchange-online



Outlook 2016 & 2019 have Modern Authentication enable by default. 2013 requires a registry key (Google it).

For Apple you need iOS 11 or higher (preferably 12+).

Android mail app doesn't support it. You need to use the Outlook app or another 3rd party app may support it.

Yo may also find you need to remove and re-add the account on devices so they can re-configure with the new settings.

 

[Sky-Knight]

2FA via text is built into O365, no powershell required. Just log into the admin panel, hit active users, click the more button and select the aptly named mutlifactor authentication setup. (Note the bolded words at the top, that settings is a LINK... stupid UI)

Duo does have a 365 product, but it's a bloody NIGHTMARE to get working. It's pretty cool once you do get it working.

Oh, and those app passwords? Yeah... get used to them. Because you see, even in office 2019, unless it's the click to run version... two factor don't work. I just went through this myself just a week ago. I was trying to get my brand new E3 on prem apps to work... nope... app password only. SOME of my remote installs running Office Premium still on Office 2016 can do multi-factor, but my E3 CAN NOT.

Now the web login, 2FA can be done via a call to the listed phone, text to the listed phone, notification through Microsoft Authenticator, or a verification code from any TOTP token system. I use Bitwarden as my TOTP client currently, works great. But the USER has to do all the enrolling, because that's how all this crap works. Users must learn to manage this junk because it's another password, their problem to reset.

 

[thecomputerguy]

2FA via text is built into O365, no powershell required. Just log into the admin panel, hit active users, click the more button and select the aptly named mutlifactor authentication setup. (Note the bolded words at the top, that settings is a LINK... stupid UI)

Duo does have a 365 product, but it's a bloody NIGHTMARE to get working. It's pretty cool once you do get it working.

Oh, and those app passwords? Yeah... get used to them. Because you see, even in office 2019, unless it's the click to run version... two factor don't work. I just went through this myself just a week ago. I was trying to get my brand new E3 on prem apps to work... nope... app password only. SOME of my remote installs running Office Premium still on Office 2016 can do multi-factor, but my E3 CAN NOT.

Now the web login, 2FA can be done via a call to the listed phone, text to the listed phone, notification through Microsoft Authenticator, or a verification code from any TOTP token system. I use Bitwarden as my TOTP client currently, works great. But the USER has to do all the enrolling, because that's how all this crap works. Users must learn to manage this junk because it's another password, their problem to reset.

I just looked at the users computer and for some reason he is using Office Pro Plus MSO (16.0), which seems weird to me.

My question is though ... if were required to create app passwords for Outlook (assuming modern auth doesn't do it's job, like it hasn't in your case) then what is the point of the app password if a phishing site gets ahold of that app password?

All we've done is swap the users real password (aka P@ssw0rd1!) to an app password of giencviwotnvdvuiweui

Seems like were just trading one evil for another. Sure it protects OWA nicely but the idiot users will just hand over their app password instead of their actual email password...

Would the app password prevent a bot from using SMTP to send mass spam?

 

[Sky-Knight]

As far as I understand it, Exchange remembers a specific device, and the app password can only be used by that one device. I've actually got two on my account, because I couldn't use the same one for my laptop and my desktop. It's also not visible in your account after generation, you have one chance to copy / paste it. You're not supposed to write it down.

But yes, if a trojan or something gets on that machine and decrypts the password, there's every possibility of illicit mailbox access. But, there is no possibility of loss of the account's control, or use of admin functionality.

So it's better... but certainly not best.

Office Pro Plus is what gets installed by E3 and up, or the ProPlus subscription. That's not how Office Premium manifests.

 

[thecomputerguy]

As far as I understand it, Exchange remembers a specific device, and the app password can only be used by that one device. I've actually got two on my account, because I couldn't use the same one for my laptop and my desktop. It's also not visible in your account after generation, you have one chance to copy / paste it. You're not supposed to write it down.

But yes, if a trojan or something gets on that machine and decrypts the password, there's every possibility of illicit mailbox access. But, there is no possibility of loss of the account's control, or use of admin functionality.

So it's better... but certainly not best.

Office Pro Plus is what gets installed by E3 and up, or the ProPlus subscription. That's not how Office Premium manifests.

This is not entirely true because I grabbed an app password for him to use because I needed his email working again and the same app password appears to have worked on his Laptop, Desktop, and iPhone.

Thanks for the refresher on E3 I forgot that it installs Pro Plus.

 

[YeOldeStonecat]

First..enable modern auth.
Next..recognize that "the old way"....using app passwords, is clunky. App passwords are now really just for legacy apps....like, Office 2013 or older. The new way....just approve via prompt to your phone, or type in the quick code you get via the Auth app.

BTW, Microsofts Authenticator app is much like the others...they all about work the same, I have my MS Auth app handle my O365, my N-Central RMM 2FA, my Google account 2FA, and my Facebook 2FA. I don't want or need a bunch of different MFA apps on my phone.

Don't want to deal with codes? Easy...O365 and the MS Auth app support just an "Approve/Deny" push on your smart phones screen. Don't even have to log into your phone, the prompt jumps to the top of the screen.

I just setup 3x new laptops for myself in the past couple of days...was easy peasy to setup and get my O365 apps downloaded, Outlook setup, Teams setup, OneDrive setup, Sharepoint setup. Just a few touches of my finger over the "Approve" prompt on my phone..easy peasy done!

But wait, there's more! You can make it even easier for your clients...if you add on the Azure Premium 2..which I do via the EMA E5 add on llicense, you can setup "Conditional Access". Yup...it is what it sounds like. If computers are joined to Azure AD...you can bypass the need for 2FA. It the computers come from a "Trusted IP" (that you setup via your clients static WAN IP)...they can bypass the need for 2FA. BUT (and here's what's important)...if the login comes from OUTSIDE the office ..(like...overseas...)...it gets a 2FA challenge. You can even specify what apps get the MFA challenge (of course safest bet is ALL).

There's also the basic "send a code via text to phone".
Or...have an Auth app generate a code for you every 30 seconds (the TOTP thing).

But I enjoy the "approve/deny" prompt on the phone...keeps it quick and easy. Esp when setting up apps on the smart phone..don't have to deal with flipping screens back 'n forth.

 

[YeOldeStonecat]

And for security purposes...that EMS e5 license to your global admin accounts allows you to go setup a lot of good watching over of accounts, and "Risky Behavior" alerts...you'll get dashboards of users that got put into the high risk list if a login occured from outside the designated region. Like at a client of mine..each week I review those, and check with the office manager "Hey, did so and so just go to Mexico? Or did so and so go to Germany?" And she'll say "Yeah they were on vacation". But when she tells me "No"..when I ask if someone traveled to southeast asia and logged in, then we know someones password probably got phished and it's time to change password and go into damage control.

There's a lot of good visibility in that dashboard.

 

[thecomputerguy]

And for security purposes...that EMS e5 license to your global admin accounts allows you to go setup a lot of good watching over of accounts, and "Risky Behavior" alerts...you'll get dashboards of users that got put into the high risk list if a login occured from outside the designated region. Like at a client of mine..each week I review those, and check with the office manager "Hey, did so and so just go to Mexico? Or did so and so go to Germany?" And she'll say "Yeah they were on vacation". But when she tells me "No"..when I ask if someone traveled to southeast asia and logged in, then we know someones password probably got phished and it's time to change password and go into damage control.

There's a lot of good visibility in that dashboard.

My first mistake was that modern auth was not enabled ... I thought it was because articles stated that modern auth was enabled by default now, but apparently not for older Office 365 accounts. So I enabled modern auth and it seems to be working much better/the way I want it to without having to use app passwords (which is not an option).

By enabling MFA does it apply retro-actively? What I mean by that is do all existing users who are already currently logged into their Outlook/iPhones etc trigger the MFA setup or do they need to go and manually setup MFA by logging into OWA to trigger it?

 

[YeOldeStonecat]

By enabling MFA does it apply retro-actively? What I mean by that is do all existing users who are already currently logged into their Outlook/iPhones etc trigger the MFA setup or do they need to go and manually setup MFA by logging into OWA to trigger it?

I "believe"..(and hope)...it kicks in on their next password change. I have upgraded older clients to mod auth..and I've not had a rash of users call me with issues. As I too..wondered that when I flipped the switch.

 

[thecomputerguy]

I "believe"..(and hope)...it kicks in on their next password change. I have upgraded older clients to mod auth..and I've not had a rash of users call me with issues. As I too..wondered that when I flipped the switch.

So far I've tested 2 additional users. It appears that enabling MFA does trigger a re-login for existing users. One of those users was W10 and the other W7 (both with up to date installations of O365).

I disabled all other options for MFA except code via text to streamline the setup process for the end user.

Both users were able to get through the MFA setup process without my help, so we are going to roll-out MFA to the existing 10 users on Monday.

There were a couple quirks I encountered, one was that it takes 15-30 minutes for MFA to actually enable after enabling MFA for the user. The other I am unsure about is how users who do not have access to their computer but have the email setup on their phone would react to the enabling of MFA. I assume that if the user is using a modern phone then the MFA setup should also trigger on their phone and they should be able to complete the process using their smartphone and then just authenticate via text when they return to their desk and attempt to use Outlook.

 

[Sky-Knight]

Good God...

You know when you open a trouble ticket with O365 support, and they don't know this crap...

*Edit* So a couple hours later I notice my desktop outlook is finally complaining for authentication... a reboot later it's not working but I can see the new login web UI in the window. After nuking my profile, and making a new one bob is my uncle. Properly 2FA'd Outlook!

Now I just have to wait for this poor thing to download several GB of mail again... oh well.

@thecomputerguy I know the Outlook mobile app does a great job of that, I'm personally using Nine Folders and it properly 2FA'd even using modern tools without the modern mode being enabled. It was literally only the desktop Outlooks themselves that wouldn't cooperate.

 

[thecomputerguy]

Good God...

You know when you open a trouble ticket with O365 support, and they don't know this crap...

*Edit* So a couple hours later I notice my desktop outlook is finally complaining for authentication... a reboot later it's not working but I can see the new login web UI in the window. After nuking my profile, and making a new one bob is my uncle. Properly 2FA'd Outlook!

Now I just have to wait for this poor thing to download several GB of mail again... oh well.

@thecomputerguy I know the Outlook mobile app does a great job of that, I'm personally using Nine Folders and it properly 2FA'd even using modern tools without the modern mode being enabled. It was literally only the desktop Outlooks themselves that wouldn't cooperate.

I feel your pain ... usually I can tell pretty quickly how well that ticket is going to go based on how good the English is. That and when I explain the issue and tell them that I know what needs to be done to resolve it I just don't know how to do it because the Admin center is SO F'ING extensive, and they start running me through basic troubleshooting that I would have already done hours and hours prior to that.

I can't say that I've ever had exceptional service in the Admin center for O365 but it is better than most of the customer support out there.

Glad you got it working ... Now that I've learned MFA at least in the O365 sense I'm going to offer it to my other clients. Not bad ... in this month alone I've gotten decently versed in Sharepoint document libraries, Teams, and now MFA.

$$$$

 

[Sky-Knight]

I'm making very much the same progress, I'm also up to my eyeballs in pluralsight training materials on the subject.

A keynote I've recently struck on, you do NOT want to enable modern authentication if you have anything older than Outlook 2012 deployed, now I know Outlook 2010 dies next October, but having those users just fall off because you set a variable to true would be embarrassing.

P.S. The engineer that called me last Sunday to work on this was very much in the US somewhere, or at least an Expat... he knew too much about our contemporary culture. So even the location of support doesn't help.

 

[thecomputerguy]

I'm making very much the same progress, I'm also up to my eyeballs in pluralsight training materials on the subject.

A keynote I've recently struck on, you do NOT want to enable modern authentication if you have anything older than Outlook 2012 deployed, now I know Outlook 2010 dies next October, but having those users just fall off because you set a variable to true would be embarrassing.

Interesting ... does MA bork app passwords in older clients?

I know MS is not the only one to use app passwords but I wonder how any company expected end users to understand app passwords. Thank goodness I wasn't tasked with enabling MFA or 2FA with app passwords being the primary means of doing so.

 

[YeOldeStonecat]

The app password is supposed to satisfy legacy outlook/legacy app clients...so you can enable modern auth for a clients tenant even when they have a couple of computers on the ancient versions. We got a marina client setup on MFA after they got phished twice....they have a few old PCs.

 

[Sky-Knight]

@thecomputerguy Yes, but kicking on MA and then enabling MFA forces the change to the app password in an ungraceful way, I just did it to myself just to see, and it required blowing up the Outlook Profile to sort it.

It's less a show stopper and more be ready for some corrupted profiles.

 

[thecomputerguy]

I'm just going to link this article in case anyone else finds this thread who is having an issue enabling Modern Authentication to get MFA working.

https://cielocosta.zendesk.com/hc/e...utlook-clients-in-my-Office-365-organization-