Managing security across your Microsoft 365 user accounts can be a daunting, and time-consuming, task. However, with the right knowledge and approach, managing MFA strengths in Microsoft 365 can be a straightforward and secure process.
By taking the time to learn about the various authentication methods and their respective strengths and weaknesses, your organization can ensure their Microsoft 365 environment is secure and compliant with industry standards.
What is multi-factor authentication?
Multi-factor authentication (MFA) requires users to present two or more types of evidence, such as a one-time code sent via text message, an email confirmation, or a biometric scan like a fingerprint or facial recognition. The combination of factors makes it much harder for cybercriminals to gain access to an account, as they would need to know both the username and password, and have access to the user’s device.
Why you should implement advanced MFA settings
Microsoft claims that MFA can help prevent 99.9% of account attacks; advanced MFA settings will strengthen your security posture even more. It is an effective way to protect data from unauthorized access by preventing malicious actors from gaining access to Microsoft 365 accounts, even if they have a user’s password.
If a malicious actor gains a user’s password, they will still need to provide additional evidence in order to access the account. This reduces the risk of data breaches and ensures that only authorized users can access your Microsoft 365 applications and data.
How to set up MFA in Microsoft 365
Microsoft 365 allows users to access MFA through verification codes, phone calls, or through the Microsoft Authenticator app. Admins can use any of three options to set up MFA in Microsoft 365: security defaults, conditional access, and legacy per user. Each will be fully explained in the next section.
Security defaults
By turning on Microsoft 365’s security defaults, you will enable pre-configured security settings provided by Microsoft to help protect your business from identity-related attacks. This will include automatically enabling MFA for all user accounts, including admins.
Turn on security defaults by:
- Logging into the Microsoft 365 Admin Center with either Security Credentials, Conditional Access Credentials, or Global Admin Credentials.
- Navigating to the Azure Active Directory (Azure AD) portal, found under Admin Centers.
- Selecting Manage > Properties from the dashboard.
- Navigating to Manage Security Defaults.
- Selecting Yes.
Conditional access
This option will allow you to create your own specific policies with the security requirements that your business needs, e.g. evaluating user sign-ins to determine if they will be granted access. MFA requirements can also be assigned based on group memberships, rather than configuring the settings for individual users.
Enable MFA with conditional access by:
- Signing into the Azure portal with Global Account Credentials.
- Navigating to Azure AD.
- Selecting Security > Conditional Access > + New Policy.
- Creating a name for the new policy.
- Selecting Assignments > Users and Groups.
- Clicking on Select Users and Groups, and ticking the box with the same name.
- Clicking Select to view the Azure AD users in your environment.
- Selecting the users and groups you want to apply the new policy to.
- Selecting Done.
To apply to the new policy, navigate over to Cloud Apps or Actions from the previous Users and Groups page.
- Either apply the new policy to all or individual apps.
- After choosing the right apps, navigate Microsoft Azure Management > Select > Done.
- Under Access Controls, navigate to Grant and select the Grant Access button.
- Click on the box labelled Require multi-factor authentication > Select.
- Toggle Enable Policy to On, and select Create to apply your conditional access policy.
Legacy per user MFA
Setting up MFA via legacy per user is the most time-consuming option, as you will have to configure each individual user account settings.
Configure the user’s settings by:
- Logging into the Azure portal with Global Admin Credentials.
- Navigating to Azure Active Directory > Users > All Users.
- Selecting Multi-Factor Authentication.
Each of your users will be in one of three states regarding MFA: disabled, enabled, and enforced. Microsoft recommends waiting for your users to register before changing the statuses.
- Find the user you want to enable MFA for, and check the box beside their name.
- Under Quick Steps, choose enable or disable, and confirm your choice in the pop-up window.
Configuring MFA strengths
Once you have set up multi-factor authentication, you can manage the strengths. Microsoft allows up to 15 custom MFA strength creations, so ensure you have planned out your groups and strength customizations.
Create custom MFA strength by:
- Logging into the Azure portal.
- Navigating to Azure AD > Security > Authentication Methods > Authentication Strengths.
- Selecting New Authentication Strength.
- Naming and describing the new policy.
- Choosing the combination of MFA settings you want, e.g. certificate-based authentication and temporary access pass.
- Saving your selections before exiting.
Customize your Microsoft security with expert assistance
Managing MFA strengths in Microsoft 365 can be a daunting task. It requires knowledge of the various authentication methods, their respective strengths and weaknesses, and an understanding of the different levels of security they provide.
As a certified Microsoft Partner, Technology Solutions can advise you on the best MFA strength settings for your business needs, and manage your entire M365 environment for maximum security and performance. Talk to them today and find out more.
