In today’s Ask the Admin, I’ll show you how to enable two-factor authentication on a Microsoft account with the help of Microsoft’s Authenticator mobile app.
In What Is Multifactor Authentication and How Does It Work? on the Petri IT Knowledgebase, I explained the concept of two-factor and multi-factor authentication, and why you should enable it for sensitive accounts. Two-factor authentication (2FA) has been available in Office 365 for a couple of years, but you need to manually enable it for your users. Microsoft’s Authenticator app for iOS, Android, and Windows Phone makes it easier than ever to implement 2FA by using push notifications for verification rather than requiring users to type in access codes.
Before setting up 2FA for Office 365 users, make sure you enable Modern Authentication (MA) for Exchange Online if users are accessing Exchange using Outlook 2016 or 2013. Versions of Outlook prior to 2013 don’t support Modern Authentication. For details on how to enable MA for Exchange Online tenants, see Enable Modern Authentication in Exchange Online.
I’ve tested 2FA with Microsoft’s mobile Office apps, Outlook Groups, Office 2016 desktop apps, and OneDrive for Business in Windows 10, and found no problems. But there may be apps that are incompatible or require an app password, so make sure you test all the apps in your organization before enabling 2FA.
If you intend to set up 2FA for tenant administrator accounts, you should note that those accounts won’t be able to sign in to Office 365 using PowerShell. Microsoft recommends creating a specialized account for each administrative user for the purposes of accessing Office 365 via PowerShell. These accounts should be disabled when not in use.
The first step is to enable 2FA for one or more users in the Office 365 admin portal. 2FA can be enabled for individual users or in bulk. In this demo, because I’m testing 2FA before I roll out the feature to all users, I’ll enable 2FA for one account only. Before continuing, I recommend installing Microsoft Authenticator on your mobile device, not to be confused with Authenticator, a similar app from Microsoft but without support for push notifications.
The MULTI-FACTOR AUTH STATUS column for the user will change to Enabled. Close the browser window and sign out of the admin portal.
The user is then required to enroll for 2FA once the feature has been enabled for their account by an administrator. The user should sign in to Office 365 as usual with their username and password, and then click Set it up now on the sign in screen and follow the instructions below:
Web-based and mobile apps can use Microsoft Authenticator app verifications for 2FA logins, but Office desktop apps require an app password. The final step provides you with an app password for these apps.
You’ll be prompted to sign in again, this time by verifying the login using the Microsoft Authenticator app.
In this article, I showed you how to enable 2FA for Office 365 user accounts and how users should enroll once 2FA has been enabled for their accounts, using the Microsoft Authenticator app for verification.