Multi-Factor Authentication (MFA) Setup and End-User Experience with Office 365 and PowerShell

Article
12/30/2016

About me: https://www.linkedin.com/in/anshumanmansingh

This article is more of a follow up towards an earlier article that I had written for - Enabling/Enforcing Multifactor Authentication for All (Bulk) Users in Office 365.
That article was aimed at IT Professionals who would dive deep into the functionality and are comfortable with PowerShell. This article is aimed at end-users and IT Professionals – to get a glimpse of how would MFA (or multi-factor authentication) experience turn out to be.

Initial Setup (Direct Link to portal: https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx)

Notes: Azure multi-factor authentication is a method of verifying who you are that requires the use of more than just a username and password. Using MFA for Office 365, users are required to acknowledge a phone call, text message, or app notification on their smart phones after correctly entering their passwords. They can sign in only after this second authentication factor has been satisfied.

A form of multi-factor authentication is included with Office 365, but you can also purchase Azure multi-factor authentication that includes extended functionality. For more information, see feature comparison of Azure multi-factor authentication versions.

(Reference article for IT Pros: https://support.office.com/en-us/article/Set-up-multi-factor-authentication-for-Office-365-users-8f0454b2-f51a-4d9c-bcde-2c48e41621c6?ui=en-US&rs=en-US&ad=US)

Set up multi-factor authentication in the Office 365 admin center

Important: All the Office 2016 client applications support multi-factor authentication through the use of the Active Directory Authentication Library (ADAL). This means that app passwords are not required for Office 2016 clients.

Go to the Office 365 admin center.
Navigate to Users > Active users. Your screen should look like one of the following:

In the Office 365 admin center, click More > Setup azure multi-factor auth.

Here is the direct link to the MFA management portal for Office 365:
https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx

To reset selected users' MFA information.

When you hit enable

For Reference: About enabling multi-factor authentication

Please read the deployment guide if you haven't already. If your users do not regularly sign in through the browser, you can send them to this link to register for multi-factor auth: https://aka.ms/MFASetup

From < https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?culture=en-US\&BrandContextID=O365 >

For Reference: How Azure Multi-Factor Authentication works

From < https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-how-it-works >

When you hit "Enforce"

For Reference: Manage your settings for two-step verification

From < https://docs.microsoft.com/en-us/azure/multi-factor-authentication/end-user/multi-factor-authentication-end-user-manage-settings >

For Reference: How To Set Up Multi-Factor for Your Account

From < https://channel9.msdn.com/posts/Multi-Factor-Account-Setup >

Option 1 - Authentication Phone

Option 2 - Office Phone

Option 3 - Mobile App

I chose to receive my verification code as a text message on the "Authentication Phone" option.

For Reference: Managing your Azure Multi-Factor Authentication User Settings

From < https://technet.microsoft.com/library/en-us/dn270518 >

Step 3: Keep using your existing applications

In some apps, like Outlook, Apple Mail, and Microsoft Office, you can't use a phone to secure your account. To use these apps, you'll need to create a new "app password" to use in place of your work or school account password. Learn more