Multi-factor Authentication & Office 365/ SharePoint Online

 

Multi-factor authentication (MFA) ensures that a user is who he claims to be. The more factors used to determine a person’s identity, the greater the trust of authenticity.

Multi-factor authentication can be achieved using a combination of the following factors:

◾Something You Know – password or PIN
◾Something You Have – token or smart card or phone call
◾Something You Are – biometrics, such as a fingerprint (three-factor authentication)

Several months ago Microsoft provided Multi-Factor authentication to Office 365 tenant administrators and has recently extended it to normal users.

In office 365 with Multi-Factor authentication mode, users will have to provide their user id and password as before, but must also provide another credential from a registered device (“something You have”), Basically : the smartphone.

The extra credential could be :

  • answering a phone call
  • providing a code received in a sms
  • notifying on a mobile device via the “Multi-Factor Auth” (available on Windows Phone, IOS, Android)

Multi-Factor authentication can be set user by user.

HOW TO activate MFA

In O365 Administration console, go to the list of users and next to Set Multi-Factor authentication…, click on setup :

 

image

In the next window that will show up, select the user account you want to setup and click Enable :

image

 

image

If you click on enable multi-factor auth, , your request will be registered and confirmed after a few seconds :

image

When the user log-in

As before the user must select his account and provide his password :

image

The first time the user log-in, he will have to define the way he wants to be “extra” authenticated :

image

After clicking on Set it up no, the user will have to provide the preferred option (but he can select another one during the authentication process) :

image

If the user clicks on the verification by default dropwdown list, he will have to choose one of the following options :

image

  • option 1 “Call my phone call” : he gets a phone call and he press #
  • option 2 “text code” : he gets a sms with a code and he provides the code
  • option 3 “Notify me trough app” : he has to install the “Multi-factor App” on his device and clicks on a “verify” button during the login
  • option 4 “Show one-time code in app” : the same app will generate a code that he will have to provide

If the select the options 3 and 4, he will have to configure the Mobile App options and click on the configure button:

image

Clicking on “configure” will display the following window

image

 [ 1° I’ve noticed that the look & feel of this window differs in Chrome :

image

2° I sometime get server side errors in IE when I save these settings :

image

]

Since the user has selected the phone call as his primary verification mode, he will get a phone call (from a US phone number) and he will have to press # to proceed to the authentication. However the user can still switch to other secondary verification modes (as defined by himself) .

image

Indeed, afterwards, if the user clicks on “Use a different verification option” he can still ask another verification mode:

image

The Notify me on my mobile device will trigger the following options in the Multi-Factor app (in the device) :

image

And the user clicks on Verify :

image

If the user had selected Show one-time code in app then the device app would have generated a code like this :

image

…and the user has to fill it in :

image

Personal note : I don’t know if it is my configuration, but I’ve noticed that the authorization (with app) process is much slower with Chrome and sometimes fails.

What about Office Client applications ?

You can generate an code for Lync and Outlook or you can avoid the multi-auth factor for these 2 applications:

image

In the case of other Office Clients application, the integration is not ready yet: here is what I get when a create a word document from a SharePoint Online Library

image

 

Conclusions

  1. as long as you stay in the browser, the MFA is fine
    • MFA can be used “with” Outlook & Lync
    • MFA cannot be used with other Office applications in SharePoint, but the Office team is currently working on it
  2. If you use MFA, don’t lose your Phone  ; –)
  3. Using MFA is straightforward
  4. It would be nice to be able to use MFA on some specific parts of Office 365, like in some “sensitive” Site collections and not everywhere
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s