If you’ve been having problems with Microsoft Office 365 two-factor authentication (2FA), don’t stress – you’re not alone. In fact, there are a number of common problems users face. Thankfully, there’s a fix for each one. We have the steps you need to master 2FA below, but first, let’s cover the basics.
What is Two-Factor Authentication and how does it work?
Two-factor authentication – also known as multi-factor authentication (MFA) – is designed to give you added security by requiring two distinct forms of identification before granting you access to something. The first factor is something you know (generally, your password), while the second factor is something you have or something about you (most commonly biometrics, security questions, or a code sent to your smartphone).
To master multi-factor authentication in Microsoft Office 365, follow the easy steps below:
Step 1: Set up two-factor authentication for Office 265
It’s important to know that when you or your admin team set up 2FA for your Office 365 users, they must enable Modern Authentication (MA) for Exchange Online if users are accessing Exchange using Outlook 2016 or beyond (the versions of Microsoft Outlook before 2013 don’t support Modern Authentication).
The simplest way to do this is to open the Microsoft 365 admin centre. From here, open Settings → Org Settings → Modern Authentication. This should bring up a Modern Authentication flyout which you can simply click to enable or disable.
Step 2: Check app compatibility with 2FA
You shouldn’t have any problem using 2FA with Microsoft’s mobile Office apps, Outlook Groups, Office desktop apps, and OneDrive for Business. However, other applications may be incompatible, so make sure you test all the apps in your organization before enabling 2FA.
Step 3: Connect to Office 365 Security & Compliance Center PowerShell Using 2FA
If you set up 2FA for tenant administrator accounts, they can’t sign in to Office 365 using PowerShell. Instead, you must set up a specialised account for administrators. To do this, you must install the Exchange Online Remote PowerShell Module and use the Connect-IPPSSession cmdlet to connect to the Security & Compliance Centre PowerShell.
Important note from Microsoft: You cannot use the Exchange Online Remote PowerShell Module to connect to the Exchange Online PowerShell and Security & Compliance Center PowerShell in the same session (aka the same window). You need to use separate sessions of the Exchange Online Remote PowerShell Module.
This is what Microsoft recommends you do:
- Open the Exchange admin centre (EAC) for your Exchange Online. See Exchange admin centre in Exchange Online.
- In the EAC, go to Hybrid → Setup and click the appropriate Configure button to download the Exchange Online Remote PowerShell Module for multi-factor authentication.
- In the Application Install window that opens, click Install.
Windows Remote Management (WinRM) on your computer should allow authentication by default. If basic authentication is disabled, you’ll get an error message. Now, you should be able to sign into the Security & Compliance Center PowerShell by using 2FA.
After you sign in, the Security & Compliance Centre cmdlets will be imported into your Exchange Online Remote PowerShell Module session and tracked by a progress bar. If you don’t receive any errors, you’ve done this successfully.
If you receive an error message, check the following requirements:
- Limit your open remote PowerShell connections to three. This prevents denial-of-service (DoS) attacks.
- Make sure the account you connect to the Security & Compliance Centre is enabled for remote PowerShell. For more information, see Enable or disable access to Exchange Online PowerShell.
- The TCP port 80 traffic must be open between your local computer and Office 365. It may not be if your organisation has a restrictive Internet access policy.
Step 4: Enable multi-factor authentication in the Office 365 Admin Portal
You can enable multi-factor authentication for users individually or in bulk. Before continuing, be sure to install Microsoft Authenticator (not Google Authenticator) on each user’s mobile device. Here’s what Microsoft says to do to enable two-factor authentication one user at a time:
- Log in to the Office 365 admin portal using an administrator account.
- In the menu on the left of the portal, expand Users and Active users.
- In the list of users, click the user for whom you want to enable 2FA. Note that only licensed users can use 2FA.
- In the user’s pane, click Manage multi-factor authentication under More settings.
- On the multi-factor authentication screen, select the user account to enable, and then click Enable under quick steps on the right.
- In the About enabling multi-factor auth dialog box, click enable multi-factor auth.
The MULTI-FACTOR AUTH STATUS should change to Enabled. Close the browser window, and sign out of the admin portal.
Step 5: Enroll accounts for multi-factor authentication
Once the feature has been enabled, the user must now enroll for MFA, sign in to Office 365 with their username and password, and then click Set it up now on the sign-in screen. From here, follow Microsoft’s instructions below:
- On the Additional security verification screen, select Mobile app.
- Select Receive notifications for verification.
- Click Set up.
- Open the Microsoft Authenticator app on your phone and click Scan Barcode.
- Use the camera on your phone to scan the barcode in the Configure mobile app window. You’ll need to wait a couple of seconds while the app activates the new account.
- Click Finished in the browser window.
- Back on the Additional security verification screen, click Contact me.
The user will receive a notification on their phone. When they open it, they’ll be taken to the Microsoft Authenticator app. From here, take the following steps:
- Click Verify to complete the sign-in process.
- Click Close in the Microsoft Authentication app.
- In the browser window, enter a number to receive verification codes in case the user loses access to the Microsoft Authenticator app.
- Once the correct number has been entered, click Next.
Web-based and mobile apps can use Microsoft Authenticator app verifications for two-factor authentication login, but Office desktop apps require an app password.
Step 6: Create an app password for Office desktop apps
This is the quickest and easiest of the six steps to mastering Office 365 Two-Factor Authentication. Here’s all you need to do:
- Copy the app password by clicking the copy icon to the right of the password and paste it somewhere safe.
- Click Finished.
- The user will be prompted to sign in again – this time by verifying the login using the Microsoft Authenticator app.
Important note from Microsoft: If you want to use only Multi-Factor Authentication for Office 365, do not create a Multi-Factor Authentication provider in the Azure Management Portal and link it to a directory. Doing so will take you from Multi-Factor Authentication for Office 365 to the paid version of Multi-Factor Authentication.
We hope these steps have helped you successfully find your way through the complicated 2FA process. Implementing the proper settings for two-factor authentication in Microsoft Office 365 isn’t always straightforward. However, it’s an essential aspect of strong cybersecurity.
If you have any remaining questions regarding multi-factor authentication in Office 365, feel free to contact Invotec – our Microsoft experts are always happy to help.