By: Mark Sheldon Villanueva on March 17th, 2022
How to Set Up MFA for Microsoft 365
If your business uses the cloud, you need to enable your multi-factor authentication (MFA). It's a proven game-changer in modern data security. The only problem is a majority of businesses aren't taking advantage.
In a 2020 cybersecurity conference, Alexander Weinert, Microsoft's Director of Identity Security, said that 89% of their users still have not enabled their MFA. He then added that, on average, over 1.2 million Microsoft enterprise accounts would be compromised each month. Of those, around 99.9% will not have MFA enabled.
It's a perplexing statistic that leaves us asking: why aren't more businesses hopping on the MFA train? It's a simple, low-cost security measure, and implementing it won't cause any major disruption to your operations. Best of all, it's likely already built-in to your Microsoft subscription.
According to many security experts, low adoption of MFA is likely the result of a lack of information regarding the technology and the potential risks involved. In other words, a lot of people don't exactly know how it works, why it's important, or how easy it is to enable the tool.
At ITS, we've helped hundreds of businesses manage and secure their data, whether it’s in the cloud or on-premises. In this article, we'll try to address some of the issues keeping organizations from adopting MFA. After reading, you will hopefully be able to get a grasp of the following:
- Why You Need MFA for Microsoft 365
- How to Set Up MFA for Microsoft 365
Why You Need MFA for Microsoft 365
Let's get this out of the way, MFA isn't perfect. Enabling it doesn't mean your organization's user accounts will be impervious to hacking. There are ways around it. However, having MFA makes it twice as hard for an attacker to gain access to your accounts. It provides an extra set of hurdles they will have to leap over before getting in.
"MFA is one of the easiest and most effective ways to add protection to your digital identity," said Kyle Ramirez, our Technical Sales Engineer from ITS San Francisco. "Notice, I didn't say that it will solve the problem. It doesn't make the threat go away, and It doesn't provide 100% protection. What it does is it gives you more control," he added.
According to Ramirez, MFA's value comes from the fact that it provides you with a way to disallow usage of user accounts even when a malicious actor gets a hold of your passwords. A crucial feature, especially when you consider that Verizon's 2021 Data Breach Investigations Report found that a majority (61%) of data breaches leverage stolen or weak credentials.
How to Set Up MFA for Microsoft 365
There are several methods to set up your MFA. Check out some of those methods below:
According to Ramirez, the most low-cost method to implement MFA is through the Azure Active Directory (AD). "The multi-factor authentication that's built into Microsoft 365 is actually built into Azure Active Directory, which is a free tool. So you don't need licensing in order to utilize multi-factor authentication," he said.
He explained that setting up MFA via Azure Active Directory is as easy as highlighting a user, going to the Manage Multi-Factor Authentication menu, and switching it on.
Afterward, Ramirez said that "you would need to request the user to go to www.aka.ms/mfasetup, and they would run through the self-service MFA setup Wizard."
Another way of enforcing MFA across your organization is to enable Enforce MFA. That will require users to register the next time they log in. So, instead of instructing them to go to the URL, they will automatically be sent there to register.
Ramirez advised, however, that you will need to make sure that you communicate these types of changes beforehand.
The downside of implementing MFA manually, however, is that it's a bit more time-consuming and requires more management. In addition, new user accounts will have MFA disabled by default. As your team grows, that might cause problems and confusion down the line.
"This is not the best way of enabling MFA," Ramirez stated. "This is just the lowest cost, best value option of doing it," he added.
Enforce for All
The second method for enforcing MFA in your workplace is by turning on Microsoft Security Defaults on Azure AD. Security Defaults is a high-level Microsoft 365 tenant setting. Turning it on will enforce MFA across all your user accounts.
"Turning on [Security Defaults] will make a lot of different configuration changes that will increase the security of your Microsoft 365 tenant," Ramirez said. "However, it might break certain things because it's an all or nothing configuration," he warned.
According to him, while the process will enforce MFA throughout the organization, it might also cause issues across your network.
"It will require all of your users to enroll. Maybe you have some sort of out-of-office manager tool or something that requires a service account. Now, MFA will be enabled for that service account as well," Ramirez said.
The process can also cause problems with the authentication methods of some legacy apps, which could impact some third-party services. "Hopefully, that third-party service also supports modern authentication to allow MFA. Some services that are a little more legacy are not able to navigate that second layer of authentication," Ramirez explained. "For some accounts, you have to disable MFA, or you have to change providers," he added.
Perhaps the best and easiest method to enforce MFA across your organization is by doing it through Azure AD Premium. However, you will need to shell out some cash as the solution is a premium offering from Microsoft.
"The best way to enable MFA, unfortunately, is with a licensed product. But the license is included with a lot of other services," Ramirez stated. "Azure Active Directory Premium P1 gives you access to something called conditional access. It's like Security Defaults, but you can tune it yourself," he added.
According to Ramirez, conditional access enables users to create their own logic policies. For example, you can enforce MFA throughout all users except for specific service accounts. "You can create those types of executions, and you have more control over the systematic way in which MFA is enforced for your organization," he detailed.
To create a Conditional Access policy you will need to sign in to the portal, search for the security panel, then look for the Conditional Access menu. From there, you can select New Policy and set it up. Under the Assignments section, you can choose which users and groups will either be included or excluded from the new policy. Once you're done, confirm your settings, then select Create to enable it across your organization.
Ready to Set Up MFA for Microsoft 365
MFA is an easy and low-cost way to secure your data effectively. You can even choose different ways of implementing it, depending on your company's needs. The only thing that's keeping many businesses from adding that extra layer of protection is not knowing how to implement it. However, now that you've read this article, we hope there's no longer anything stopping you from enabling MFA for your organization.
At ITS, we help our clients find the best ways to manage and secure their data. If you want to learn more about MFA, check out our article to find out the best type of multi-factor authentication for Microsoft 365.