Ways to Implement Multi-Factor Authentication

Fight off bad actors and hackers with extra IT security

What is MFA?

Multi-factor authentication (MFA) is a process where the user must provide multiple forms of identification. The first method is typically a username and password, the second can be, for example, a one-time-password sent by text. Usually a random combination of numbers and letters.

Azure AD is a very popular MFA. They support the following forms of verification:

§  Microsoft Authenticator app

§  OATH Hardware token

§  SMS OTP

§  Voice call

Why Multi-Factor Authentication (MFA)

At the basic level, MFA is added security in a two-step process. This introduces a significant challenge to bad actors because they would need access to multiple authentication methods. Trusted and not easily duplicated MFA processes include using a registered cell phone, biometrics like facial or fingerprint recognition, and a domain-joined PC.

Ways to implement multi-factor authentication (MFA) in Microsoft 365

There are four separate ways to configure multifactor authentication in Microsoft 365

Security Defaults

Security defaults are the newest way to enable MFA in Microsoft 365. They enable MFA across your entire tenant. That includes all of your users. There is no way to limit MFA to a select user or group with security defaults. If you created your tenant after October 22nd, 2019, security defaults are probably already enabled on your tenant. 

By enabling security defaults in your Microsoft 365 tenant, you're not only requiring MFA but also blocking legacy authentication, for example, IMAP, POP3, and basic auth.

Security Defaults are available for all Microsoft 365 tenants regardless of your licensing.

Per-user MFA

Per-user MFA gives more control over who is required to use multifactor authentication, but it requires you to enable MFA for every user individually. That means every time you create a new user in Microsoft 365, and you need to enable MFA for that user. But it also means you can roll out MFA to a set of users.

Per-user MFA is available for all Microsoft 365 tenants regardless of your licensing.

Conditional access policy.

The last built-in choice is via conditional access policies. Conditional access policies provide the best security defaults as well as the best per-user MFA. With conditional access policies, you can deploy MFA to a user or a group of users, so you don't have to require MFA for all users as you do with security defaults. Also, you can configure conditional access policies to include all users or all administrators, so you don't need to remember to enable MFA for every new user as you need to do with per-user MFA.

The one downside of conditional access policies is licensing. Conditional access policies are only available for azure AD premium P1 licensed users. Conditional access policies are also available to Microsoft 365 business premium users.

Third-party Options

Microsoft has also configured Microsoft 365, so third-party vendors can offer multifactor authentication options. Several vendors sell software or cloud-only options that can tie into Microsoft 365 and provide you with multifactor authentication. Some of those vendors are one login and duo.

In conclusion, Multi-Factor Authentication is an inevitable purchase for any company that uses an internet connection. Bad actors are only becoming more sophisticated, and you need to protect the businesses and client’s data. We have discussed multiple implementation options and the purpose of MFA. Hopefully there is a useful takeaway in this blog post – good luck planning and implementing.