Enable multifactor authentication
As with PTA, Microsoft Entra multifactor authentication was also introduced in earlier training that examined user authentication options. This unit examines in greater detail the mechanics of how multifactor authentication works and how it's enabled.
The multifactor authentication process
Microsoft Entra multifactor authentication helps increase security by requesting two authentication methods. Users must sign-in with a user name and a password and then use a second authentication method. The second method may be acknowledging a phone call, text message, or an app notification on their mobile phone. If the user name, password, and second authentication method are verified, the user can sign-in to Microsoft 365. Users can also be enabled who authenticate from a federated, on-premises directory for multifactor authentication.
The following graphic shows the difference between the different authentication factors:
- Something the user knows (Password)
- Something the user owns (Device)
- Something the user is (Biometrics)
You can use security defaults in Microsoft Entra tenants to quickly enable Microsoft Authenticator for all users. You can also enable Microsoft Entra multifactor authentication to prompt users and groups for another verification during sign-in.
For more granular controls, you can use Conditional Access policies to define events or applications that require multifactor authentication. These policies can allow regular sign-in when the user is on the corporate network or a registered device. They can also prompt for other verification factors when the user is remote or on a personal device.
Enable multifactor authentication
An Enterprise Administrator can enable multifactor authentication for users in the Microsoft 365 admin center by completing the following steps:
- In the Microsoft 365 admin center, in the left-hand navigation pane, select Settings and then select Org settings.
- On the Org settings page, under the Services tab (which is displayed by default) select multifactor authentication.
- In the multifactor authentication pane that appears, select Configure multifactor authentication.
- On the multifactor authentication page, two tabs are available - one for users and one for service settings.
- On the users tab, you can enable (or disable) multifactor authentication for one or more users. You can begin by filtering the users who are displayed by selecting one of the options in the View drop-down menu. Once the list of users that you want is displayed, you can update their multifactor authentication settings.
- To enable multifactor authentication for one or more users, complete the following steps:
- Select the users to be enabled for multifactor authentication.
- In the user pane that appears on the right, you can update the multifactor authentication settings for the users by selecting Manage user settings.
- In the Manage user settings window that appears, you can select any of the following options for the selected users, and then select save:
- Require selected users to provide contact methods again.
- Delete all existing app passwords generated by the selected users.
- Restore multifactor authentication on all remembered devices.
- In the user pane that appears on the right, you can turn on multifactor authentication for the selected users by selecting Enable.
- In the About enabling multifactor authentication window that appears, you can select the provided links to learn more about multifactor authentication. When you're ready, select the enable multifactor authentication button, and then select close once the update is complete.
- The value in the multifactor authentication STATUS column should change from Disabled to Enabled for each selected user.
- To enable (or disable) multifactor authentication for all the users in a CSV file by using the bulk import feature, complete the following steps:
- Select the bulk import button that appears at the top of the screen.
- In the Select a CSV file window that appears, you can select Download a sample file to see the file format that's required (it includes each user's alias and whether multifactor authentication should be Enabled or Disabled for the user).
- When your file is ready, select Browse for file and select your CSV file.
- Select the arrow icon in the bottom right corner of the window.
- The Verifying file window that appears displays the number of user accounts that were verified. Select the arrow icon in the bottom right corner of the window to update the users.
- The Done window indicates the number of users that were updated. Close the window.
- On the service settings tab, you can update the global multifactor authentication settings for the organization. This tab enables you to update the following settings:
- app passwords section
- Allow users to create app passwords to sign-in to non-browser apps.
- Don't allow users to create app passwords to sign-in to non-browser apps.
- trusts ips section
- Skip multifactor authentication for requests from federated users on my intranet.
- Skip multifactor authentication for requests from following ranges of IP address subnets (enter the IP address subnets in the provided field).
- verification options section
- Select one or more multifactor authentication methods that will be available for users to choose from:
- Call to phone. Users receive a phone call with instructions for the users to press the pound key. After they press the pound key, users are signed in.
- Text message to phone (selected by default). Users receive a text message containing a six-digit code that they must enter into the Microsoft 365 portal.
- Notification through mobile app (selected by default). Users configure a smartphone app that receives a notification that users need to confirm to sign in to Microsoft 365. Smartphone apps are available for Windows phone, iPhone, and Android devices.
- Verification code from mobile app or hardware token (selected by default). Users configure a smartphone app and enter the six-digit code from the app into the portal.
- Select one or more multifactor authentication methods that will be available for users to choose from:
- remember multifactor authentication on trusted device section
- Allow users to remember multifactor authentication on devices they trust (between one to 365 days)
- Number of days users can trust devices for (90 days is entered as the default value)
- app passwords section
Multifactor authentication can also be enabled for a user through Windows PowerShell. Use the Set-MsolUser cmdlet and the -StrongAuthenticationRequirement parameter, as seen in the following example:
$st = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement$st.RelyingParty = "*"$st.State = “Enabled”$sta = @($st)Set-MsolUser -UserPrincipalName StellaC@adatum.onmicrosoft.com -StrongAuthenticationRequirements $sta
After the administrator enables users for multifactor authentication, the users must configure their second authentication factor at their next sign-in.
Optimize reauthorization prompts for Microsoft Entra multifactor authentication
One of the system settings options is to "Remember multifactor authentication on trusted devices." This setting determines how often users must reauthenticate using their multifactor authentication method. You can optionally select the number of days that multifactor authentication can be remembered on trusted devices. Organizations can configure these reauthentication settings as needed for their environment, and for the user experience they want.
The Microsoft Entra ID default configuration for user sign-in frequency is a rolling window of 90 days. However, for optimal experience, it's recommended that you use Conditional Access sign-in frequency to extend session lifetimes on trusted devices, locations, or low-risk sessions as an alternative to this setting. If you decide to implement this remember multifactor authentication on trusted devices setting, be sure to extend the duration to 90 or more days.
Asking users for credentials on a frequent basis seems like a sensible thing to do, but it can backfire. If users are trained to enter their credentials without thinking, they can unintentionally supply them to a malicious credential prompt. As such, it may sound alarming to not ask for a user to sign back in, though any violation of IT policies revokes the session. Some examples include:
- a password change
- a non-compliant device
- an account disable operation.
The following configurations are recommended to give your users the right balance of security and ease of use by asking them to sign-in at the right frequency:
- If you have Microsoft Entra ID P1 or P2:
- Enable single sign-on (SSO) across applications using managed devices or Seamless SSO.
- If reauthorization is required, use a Conditional Access sign-in frequency policy.
- For users that sign-in from non-managed devices or mobile device scenarios, persistent browser sessions may not be preferable. Or, you may use Conditional Access to enable persistent browser sessions with sign-in frequency policies. Limit the duration to an appropriate time that's based on the sign-in risk, where a user with less risk has a longer session duration.
- If you have Microsoft 365 apps licenses or the free Microsoft Entra tier:
- Enable single sign-on (SSO) across applications using managed devices or Seamless SSO.
- Keep the Remain signed-in option enabled and guide your users to accept it.
- For mobile device scenarios, ensure your users use the Microsoft Authenticator app. This app is used as a broker to other Microsoft Entra ID federated apps. It reduces the authentication prompts on the device.
Note
Microsoft's research shows that these settings are right for most tenants. Some combinations of these settings, such as Remember multifactor authentication and Remain signed-in, can result in prompts for your users to authenticate too often. Regular reauthorization prompts are bad for user productivity and can make them more vulnerable to attacks.
Additional reading. For more information, see the article titled: How it works: Microsoft Entra multifactor authentication.