How multifactor authentication works in Office 365

New options introduced this year makes it much easier to increase the security of Office in the cloud

Last week, my blog focused on Microsoft's push to make everything as a service a reality. One issue that reality would expose is people and companies putting much sensitive data in the cloud, for which I recommended the use of multifactor authentication. Many cloud vendors, Microsoft included, are offering multifactor authentication given the widespread concerns over data breaches.

One reader questioned the viability of using multifactor authentication with Office 365 because of the need to implement a variety of onsite services. The complaint was that it "is complicated, is expensive, and relies on a number of pieces all chained together to work correctly." Although that may have been accurate in the past, it's not true today.

[ How to choose the right Office 365 option for your company. | What's new in Microsoft Azure. | Stay atop key Microsoft technologies in InfoWorld's Technology: Microsoft newsletter. ]

This February, the Office 365 team at Microsoft announced multifactor authentication for Office 365 that in my personal experience is supereasy to implement. Using my company's Office 365 portal, all I had to do was log into the Admin Center, go to Users and Groups, select a user account, and click the Set Up link next to Set Multi-factor Authentication Requirements.

By default, you'll see your users are disabled under Multi-factor Auth Status, and as an admin all you can do is enable or disable them. Once you enable the users, be sure to notify them about the process. (Microsoft has a handy checklist of the admin process you may want to review that includes an email template you may want to use in your notification to enabled users.)

When users sign in to Office 365 via the Web, they are prompted to set up the type of secondary authentication they prefer. They have these options:

  • Call My Mobile Phone: When the users receive the confirmation call, they press # in the phone's dial pad to log in.
  • Call My Office Phone: This works like Call My Mobile Phone, but sends the confirmation call to a separate line, such as a desk phone.
  • Text Code to My Mobile Phone: The user receives a code sent via SMS text message to their phone, then enter it in the Office 365 login form.
  • Notify Me through App: The user can use a Microsoft smartphone app to receive and confirm the notification; the app is available for Windows Phone, iPhone, and Android.
  • Show One-Time Code in App: This uses the same app as for the Notify Me through App option, but sends a one-time six-digit code that must be entered in the Office 365 login screen.

In addition to multifactor authentication, Office 365 by default also requires users enter a password to access native Office applications on PCs, Macs, and mobile devices. The Office 365 admin tool automatically issues 16-character, randomly generated tokens for users, who can request more.

There are some problems with the use of the app password. First, the password complexity is daunting to many users, who can easily forget or mistype such tokens. Second, the OWA apps for the iPhone and iPad don't support it.

Of course, this isn't the end of development at Microsoft for multifactor authentication. Later this year, for example, Microsoft promises an update that integrates additional forms of authentication, including third-party support and smart cards, including the DoD Common Access Card (CAC) and the U.S. Federal Personal Identity Verification (PIV) card.

Before you leap for joy, note that multifactor authentication is not included in all Office 365 plans. You get it in the midsize-business, enterprise, and academic plans, but not in the small-business or dedicated plans. And before you configure the settings for any of your end-users, you might want to click the link to Microsoft's multifactor authentication deployment guide, which focuses on authentication in general and Azure multifactor authentication specifically.

This story, "How multifactor authentication works in Office 365," was originally published at Read more of J. Peter Bruzzese's Enterprise Windows blog and follow the latest developments in Windows at For the latest business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.