Verification of Step-by-Step Methods to Prevent Account Sharing in Microsoft Office 365

Question

Hello,

I’m looking to implement security measures in Microsoft Office 365 to prevent users from sharing their accounts externally. I have compiled the following step-by-step methods based on information I received from Microsoft AI. Could you please review these steps and confirm if they are accurate and complete?

1. Multi-Factor Authentication for Identities in Microsoft 365

To configure MFA for your users:

• Sign in to the Microsoft 365 admin center with your admin account.
• Go to the Users > Active users page.
• Select the user for whom you want to enable MFA.
• Click on "Enable" under "Multi-factor authentication" in the right pane.
• In the confirmation dialog box, click "Enable multi-factor auth."
• The selected users will now be required to set up MFA the next time they sign in.

2. Sign Users Out of Microsoft 365 Web Sessions After a Period of Inactivity

To implement Idle Session Sign-out:

• Sign in to the Microsoft 365 admin center with your admin credentials.
• Go to the SharePoint admin center.
• In the left pane, select "Policies."
• Under "Session management," select "Idle session sign-out policy."
• Select "Edit" to modify the policy.
• In the "Idle session sign-out policy" pane, select "On."
• In the "Sign out after" field, enter the number of minutes of inactivity before the user is signed out.
• In the "Show a message" field, enter the message you want to display to users before they are signed out.
• Select "Save" to save the policy.

3. Administrator Approval Before a User Login from a New Device in Microsoft Office 365

To configure this security measure using Azure Active Directory Conditional Access policies:

• Sign in to the Azure portal using your administrator credentials.
• Go to Azure Active Directory and select Conditional Access.
• Create a new policy by clicking on the "+ New policy" button.
• Give the policy a name and configure the following settings:
  • Assignments: Select the users and groups to which the policy applies.
  • Cloud apps or actions: Select Office 365.
  • Conditions: Select "Device state" and choose "Device platform" as "Any device."
  • Access controls: Select "Grant" and choose "Require device to be marked as compliant."
  • Session: Select "Use app enforced restrictions."
  • Enable policy: Set it to "On."
  • Save the policy.

Please let me know if there are any inaccuracies or improvements needed in these steps. Your assistance would be greatly appreciated.

Thank you!

Best regards, Junghyun Hwang

Answer 1

Hello @Junghyun Hwang ,
Thank you for your question.

The steps highlighted are correct. However Here are a few additional points you might find useful:

1. Multi-Factor Authentication: The highlighted steps are correct. You may also consider setting up an MFA for all users, in addition to individual users, depending on your organization's needs. Here is the documentation for setting up MFA: Set up multi-factor authentication.
2. Conditional Access: The steps to create a Conditional Access policy are good. However, it is important to note that there are several policies that can be applied for Conditional access as highlighted here: Conditional Access in Azure Active Directory on the Common Decisions section (It is also important to note that point 4-6 of this section requires Microsoft Intune).

You can also set up Risk based sign in protection policies as highlighted on this doc: https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-risk-based-sspr-mfa.
I hope this helps to answer your question.

If you find the answer above helpful, please Accept the answer to help anyone in the community who might have a similar question to quickly find the solution.