Office365 MFA Deployment Guide
May 2, 2019
Many consultants may have come across a few difficulties when rolling Multi-factor authentication (MFA) out on Office365, this guide will walk you through all the steps to deploy it without the need of those pesky app passwords.
What you need
- Clients running Office 2016 and up: MFA deployment without the use of app passwords will only work if your clients are running Office 2016 and up.
- A Windows machine: In order to apply some of the settings in this guide you will need one machine running one of the following versions of Windows; Windows 10, Windows 8.1, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2, Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1.
- Access to the client’s Office365 Admin Center: The Admin Center is used to manage the deployment of MFA for the client, if your admin account already has MFA turned on make sure to disable it for the PowerShell session.
- Clients running compatible mobile phone mail applications: MFA deployment for Office365 is not supported on outdated versions of both the IOS mail and Samsung Mail email clients. Make sure that your clients are running the newest versions of their mobile phones operating system as well as the most up to date versions of their phone's email clients. If your users are still experiencing issues simply delete the account from their phone and sign back in, or use the Outlook mobile application.
- Identify risky accounts: If you are unsure about the purpose of a user account on your Office365 Admin dashboard, then it is strongly recommended not to turn on MFA on the account until it’s scope is identified.
Connect to Exchange Online PowerShell
- Open PowerShell as an administrator.
- Run the command “Set-ExecutionPolicy RemoteSigned”, input the letter “A” and hit enter to enforce signed trusted PowerShell scripts.
- Run the command “$UserCredential = Get-Credential” and input your Office365 administrator credentials into the dialog box.
- Run the following command “$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection”.
- Run this command “Import-PSSession $Session -DisableNameChecking”.
Enable Active Directory Authentication Library (ADAL)
- Run this command “Get-OrganizationConfig | Format-Table name, *OAuth*”, if the value for “OAuth2ClientProfileEnabled” returns “True” skip step b.
- Run the following command to enable ADAL “Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true”
Manage MFA user settings
- On the multi-factor authentication page, select the check box next to the people you want to manage.
- On the right, under quick steps, choose to Manage user settings.
- In the Manage user settings dialog box, select one or more of the following options:
- Require selected users to provide contact methods again
- Delete all existing app passwords generated by the selected users
- Restore multi-factor authentication on all remembered devices
- Choose Save, then choose Close.
Set up multi-factor authentication in the Microsoft 365 admin center
- In the admin center, go to Users > Active users.
- IMPORTANT: BEFORE you select a user, choose More (...) > Setup Azure multi-factor authentication.
- Find the people for whom you want to enable MFA. In order to see everyone, you might need to change the Multi-Factor Auth status view at the top.
- The views have the following values, based on the MFA state of the users:
- Any Displays all users. This is the default state.
- Enabled The person has been enrolled in MFA, but has not completed the registration process. They will be prompted to complete the process the next time they sign in.
- Enforced The person may or may not have completed registration. If they have completed the registration process, then they are using MFA. Otherwise, they will be prompted to complete the process the next time they sign in.
- Select the check box next to the people for whom you want to enable MFA.
- On the right, under quick steps, you’ll see Enable and Manage user settings. Choose Enable.
- In the dialog box that opens, choose to enable multi-factor auth.