Two factor authentication with Azure/Office 365.

benrattigan · 2017-11-18T12:59:59.000Z

Anyone have any experience with using two factor authentication for Office 365?

In 2015 when first trying this it was advised global admins don’t use it and now Microsoft has changed it stance on this and recommending using secure long password that doesn’t expire and enabling 2FA.

I have given it several tries but found that iOS and Android apps for Office 365 either regularly sign out which is a pain as you have to keep signing back into them all and create new passcodes or use MS Authenticator which is desperately unreliable producing nothing more than a blank screen.

Also seems to totally screw up desktop applications on Windows unless you totally uninstall Office apps.

Anyone done this successfully?

stevehebert · 2017-11-18T14:17:46.000Z

I’ve been using it for my account for at least a year without any problem. I only use the desktop and online apps (no android or ios apps) so I can’t say how it affects the mobile device apps. I’ve had no problems with the Microsoft authenticator.

pbrain · 2017-11-18T14:39:32.000Z

I don’t like the fact that you need separate app passwords. I would really like it if you could enable 2FA only for web and non domain joined computers.

lewandowski · 2017-11-18T15:19:23.000Z

I use MFA with strong passwords that do expire for admin accounts. Use the SMS verification and it works great.

lewandowski · 2017-11-18T15:20:55.000Z

Juanoflo:

I don’t like the fact that you need separate app passwords. I would really like it if you could enable 2FA only for web and non domain joined computers.

Yes make sure you store that app password some where safe lol. It’s not fun when you need it, again.

dreid007 · 2017-11-18T15:35:47.000Z

Don’t save the password. Delete it and generate a new one.

dreid007 · 2017-11-18T15:38:22.000Z

I’m with Steve, it just works.

As for bypass for Domain Joined computers, we segment our outbound traffic (LAN gets one public IP, WiFi another, Guest WiFi a third, etc.) and whitelist the LAN’s public IP.

tobywells · 2017-11-18T16:09:13.000Z

We are rolling out and seems to just work, a couple of strange errors enabling it for certain users but other than that its working well

lewandowski · 2017-11-18T17:11:21.000Z

Don007:

I’m with Steve, it just works.

As for bypass for Domain Joined computers, we segment our outbound traffic (LAN gets one public IP, WiFi another, Guest WiFi a third, etc.) and whitelist the LAN’s public IP.

Whitelist LAN’s public IP to bypass MFA? Why would you make any effort to bypass MFA?

dreid007 · 2017-11-18T18:28:33.000Z

Given that we are in a locked environment with a short idle screen lock time and a long passphrase, we evaluated the risk and determined that machines physically attached to our internal network met the MFA criteria of “something you have” couple that with the passphrase “something you know” and you have MFA.

Jono · 2017-11-19T00:48:04.000Z

Just be bear in mind when enabling MFA that powershell or EWS apps that use the admin accounts may fail

The MS Outlook APP has been fine and MFA with users on the internal network using APP token also works well…

Ensure your AD and Cloud passwords have been reset and are in sync

gopal-bdrsuite · 2017-11-20T07:05:57.000Z

I have tested in our MSP Office365. Configured MFA for a set of users ( users configured in a OnPremise AD group sync with Azure AD). You can selectively configure MFA for each user also. Here are the settings available while configuring MFA for each user.

MFA_settings.png524×535 15 KB