Setting up 2 factor authentication for Office 365

Recently Microsoft has enabled 2 factor authentication for all Enterprise Office 365 tenants at no additional cost. Their offering is based on PhoneFactor’s 2 factor authentication system, a company Microsoft bought a couple of years ago. Setting this feature up for Office 365 accounts is fairly easy, but there are a couple of “tricky” parts that could use a bit of clarification so I thought I would run through the process for you here.

The first step is to log into the Office 365 admin center at portal.microsoftonline.com. Once logged in, navigate to the users and groups tab. At the top center of the screen you see “Set Multi-Factor authentication requirements:” with links to Set up and Learn more.

Clicking on the Set up link will take you to the 2 factor authentication setup page. On this page there is a link to the multi-factor auth deployment guide. I clicked this link and quickly reviewed this document. I do have to admit I have not put a lot of time into reviewing this document, but I found this document to be almost completely worthless. I think the problem is that Azure has several different ways to do multi-factor authentication for different products. I did not see any Office 365 specific instructions.

Moving past the lack of useful instructions, you have 3 options for each user; “Enabled”, “Enforced”, or “Disabled”. First I tried “Enabled”, and it turns out I have no idea what this option does. I would assume it gives you the option to use 2 factor authentication, but does not require it. I set my account to “Enabled” then logged out and logged back into the portal. I did not notice any difference. I assume it must do something, but it’s going to take some more fiddling on my part to figure out what.

When you Enable or Enforce multi-factor auth, a pop-up comes up that says to tell users to go to http://aka.ms/MFASetup to configure their settings. The problem I have is that enabling or enforcing multi-factor auth is the only way to find this link. That link is not normally displayed anywhere on this page.

Following that link take you to the configuration page for your multi-factor authentication. There are two sections on this page; “additional security verification”, and “app passwords”. The app passwords section is to create a new separate password that works with applications like Outlook. In other words, when you enforce multi-factor authentication you’ll need to use this new password for Outlook. The additional security verification page is fairly straight forward. I configured my account using the multi-factor auth app (not to be confused wit hthe Microsoft authenticator app) in the Windows phone store, which was pretty easy. I do not have an iPhone or Android device to test with, but I assume they work about the same. I also setup SMS messages to my mobile phone for testing, which was also very easy to do.

After setting up multi-factor auth, as I mentioned above, I started getting pop-ups from my Outlook client. I needed to enter the “app password” into Outlook to get it to stop. Once that was done, I was all good to go.

…and that is pretty much it. 2 Factor authentication is fairly straight-forward to get going, but the lack of documentation is a little disappointing.