Office 365 MFA

Multi Factor Authenticator (MFA), sometimes referred to as 2 Factor Authentication (2FA), is a method of providing different forms of authentication methods towards a service, usually an online public facing one. You may however also find these on internal systems. Enabling MFA on your Office 365 tenant is a must, and you should do this TODAY.

Scared? Don’t be, you have been using MFA for years. You just don’t know it.

Do not over think MFA, you have all been using this for many years when it comes to online banking, where you are required to provide a password, followed by a randomly generated code from a device. Historically, this used to be a dongle provided by your bank, but in recent years this has switched to a code generated from inside the banking application on your mobile device.

Therefore, the result, someone attempting to compromise your account would need your password, and your 2nd factor device, which is near on impossible (aside from some malware now attacking mobile devices to steal codes, for this we recommend mobile device protection).

How does Microsoft MFA work? What are the methods?

When we talk about Office 365 MFA, typically this comes in the form of a Microsoft Authenticator App on your mobile device. However a list of methods exist as follows:

  • Call to your phone – not recommended.
  • Code via SMS Message – not recommended.
  • Microsoft Authenticator.
  • Physical USB device – such as YubiKeys (
  • Notification via mobile application.

Why are calls and SMS methods not recommended?

In our opinion, calls and SMS are not recommended methods to authenticate, due to “sim swap”, where a hacker will call your provider, and request a sim swap to a new sim card, which if successful, will then receive all of your calls and SMS messages.

There has even been reports online of insiders working at mobile providers, sim swapping for hackers, so they have had no need to social engineer the incident. There is also a number of phishing email templates circulating, pretending to be your provider with a “billing issue” which if fallen for, will see you provide a hacker with the answers to your secret questions, so when they call your mobile provider, they can get through security, and swap your sim.

Will I be asked to supply a new code EVERY time I use my Office 365 system?

Simply put, no. Typically, your MFA code is only required when:

  1. Setting up a new device, or an existing device that needs reconfiguring, say following a support issue.
  2. When logging into any Office 365 platform via the web, as this is of course considered to be from an untrusted device or location.

Once enabled, what is available to stop my team disabling their MFA themselves?

Microsoft Azure (the backbone to Office 365) now has security defaults that forces your team to supply their MFA choices. However this is only if they ever login to the web platform, so it is far from reliable to ensure everyone has initialised their Microsoft Authenticator.

The best way to achieve this is via “Conditional Access” policies inside Azure, which requires a single Azure Premium license for your tenant. Once enabled, you will be able to add policies to force MFA at tenant level, meaning it cannot be disabled by individual users.

We have a high turnover of users and devices, and I can see MFA taking a lot of manpower to initialise each time, can anything be done to ease this?

Inside Microsoft Azure, you can add “Trusted IPs” to bypass the MFA requirement, and if your office has a static IP, this can be added here. Although this does open yourself up to IP spoofing, where someone can spoof your IP address and pretend to be you, although they would of course also need to know your Office 365 password to get access. I would strongly advise against this unless necessary.

If you do add a trusted IP address, this could see some of your users never initialise MFA, as they will never be prompted to do so if they are never outside of the trusted zone. For this reason, we recommend adding an additional conditional access policy to only allow MFA registration from the same IP as your trusted location, otherwise a password leak would mean the person with the password will be prompted to initialise MFA, which they will do so to their own device, and then gain access. With this in place, you will need users to head to the dedicated page for registering their device, as of course they will never be prompted to do so inside the Trusted Location. You can find this site here.

What could happen with MFA disabled?

Enabling MFA for your Office 365 tenant is a must for all businesses, no matter how big or small. With MFA disabled, a number of situations could occur:

  1. Leaked passwords could see access gained to your cloud resources i.e., emails, files and more.
  2. Man in the middle attacks can occur on your email system, where the party compromising your account will act as you, resending emails that are in your sent items, say bank account changes on invoices, deleting the sent item after.
  3. Files once accessed can be placed online in a public place, with a ransom requested in return for taking the files offline, which is of course a major data breach.

These days, Microsoft recommends MFA over regular password changes. This is due to regular password changes becoming less secure due to the nature of the change, for example the 1 at the end becomes a 2 and so on.

I don’t trust my employees with the code, worried they will lose their device, or my employees refuse to use their own device for work purposes.

We hear this a lot. And if this arises, there is a simple solution. We recommend that anyone facing this issue, purchases a central device, say a Android tablet, that is kept in the office under management supervision. You can pick up such a device for less than £100.


When it comes to simple methods to deploy such as MFA, you should take no shortcuts. You can access the free MFA for Microsoft within Office 365, or you can choose a bigger solution such as Duo to protect everything, including Windows logins.

If you have any questions or would like us to help with the security of your Office 365 tenant, please get in touch today.


Dave King

Author: Dave King

Dave King is the Co-Founder and Director of Carden IT Services and the wider Carden IT Group. Dave has over 18 years’ experience in business IT networks with a focus on IT consultation and disaster recovery planning/testing.

      Send Us A Message

        Send Us A Message