Multi-factor authentication (MFA) ensures that a user is who he claims to be. The more factors used to determine a person’s identity, the greater the trust of authenticity.
Multi-factor authentication can be achieved using a combination of the following factors:
◾Something You Know – password or PIN
◾Something You Have – token or smart card or phone call
◾Something You Are – biometrics, such as a fingerprint (three-factor authentication)
Several months ago Microsoft provided Multi-Factor authentication to Office 365 tenant administrators and has recently extended it to normal users.
In office 365 with Multi-Factor authentication mode, users will have to provide their user id and password as before, but must also provide another credential from a registered device (“something You have”), Basically : the smartphone.
The extra credential could be :
- answering a phone call
- providing a code received in a sms
- notifying on a mobile device via the “Multi-Factor Auth” (available on Windows Phone, IOS, Android)
Multi-Factor authentication can be set user by user.
HOW TO activate MFA
In O365 Administration console, go to the list of users and next to Set Multi-Factor authentication…, click on setup :
In the next window that will show up, select the user account you want to setup and click Enable :
If you click on enable multi-factor auth, , your request will be registered and confirmed after a few seconds :
When the user log-in
As before the user must select his account and provide his password :
The first time the user log-in, he will have to define the way he wants to be “extra” authenticated :
After clicking on Set it up no, the user will have to provide the preferred option (but he can select another one during the authentication process) :
If the user clicks on the verification by default dropwdown list, he will have to choose one of the following options :
- option 1 “Call my phone call” : he gets a phone call and he press #
- option 2 “text code” : he gets a sms with a code and he provides the code
- option 3 “Notify me trough app” : he has to install the “Multi-factor App” on his device and clicks on a “verify” button during the login
- option 4 “Show one-time code in app” : the same app will generate a code that he will have to provide
If the select the options 3 and 4, he will have to configure the Mobile App options and click on the configure button:
Clicking on “configure” will display the following window
[ 1° I’ve noticed that the look & feel of this window differs in Chrome :
2° I sometime get server side errors in IE when I save these settings :
Since the user has selected the phone call as his primary verification mode, he will get a phone call (from a US phone number) and he will have to press # to proceed to the authentication. However the user can still switch to other secondary verification modes (as defined by himself) .
Indeed, afterwards, if the user clicks on “Use a different verification option” he can still ask another verification mode:
The Notify me on my mobile device will trigger the following options in the Multi-Factor app (in the device) :
And the user clicks on Verify :
If the user had selected Show one-time code in app then the device app would have generated a code like this :
…and the user has to fill it in :
Personal note : I don’t know if it is my configuration, but I’ve noticed that the authorization (with app) process is much slower with Chrome and sometimes fails.
What about Office Client applications ?
You can generate an code for Lync and Outlook or you can avoid the multi-auth factor for these 2 applications:
In the case of other Office Clients application, the integration is not ready yet: here is what I get when a create a word document from a SharePoint Online Library
- as long as you stay in the browser, the MFA is fine
- MFA can be used “with” Outlook & Lync
- MFA cannot be used with other Office applications in SharePoint, but the Office team is currently working on it