Enabling Office 365 multifactor authentication for online administrators
Recently Microsoft added yet another great feature to Office 365; multifactor authentication for online administrators. For many organizations already using Office 365 for business productivity this is major improvement and a feature requested for a longer period.
Multifactor authentication is based on the principle of something you know (username and password) combined with something you have (phone) and is initiated during the Office 365 login process.
Until recently only Office 365 configured with single sign on functionality could be used for and multifactor authentication by configuring the on-premise Active Directory Federation Services (ADFS) infrastructure. The downside of this scenario is that this functionality would only be available for federated accounts hosted in the on-premise Active Directory (AD) and not for online administrator accounts hosted in the Office 365 cloud. The reason for creating online administrator accounts is to make you are able to login to Office 365, even when the ADFS infrastructure are not available.
Process summary: Enabling multifactor for an online administrator account, requires an administrator to add one on more phone numbers to his (or her) profile. Once connected and verified the administrator will receive an automated phone call after every username and password login. By answering the call and pressing the # key the account is verified and access to Office 365 administration portal is permitted.
Process description: Below is the process of creating a new online administrator account, enabling multifactor authentication to the account and logging in the Office 365 administrator portal.
-
Create a new Office 365 online user.
Make sure to user your internal domain which is cloudinfo.onmicrosoft.com in the example above. -
Assign an administrator role to the user.
-
After the online administrator account is created, enable multifactor authentication through the Windows Azure Active Directory (preview) portal at https://activedirectory.windowsazure.com
-
Select "User and Groups" and click "Manage" at multi-factor authentication.
-
Select the online administrator account and select "Enable" on the quickstep action menu.
-
Confirm the enablement of multifactor authentication for the new online administrator account by clicking "Yes".
-
Click "Close" to complete the enablement.
-
Login as the online administrator account for the first time after enabling multifactor authentication.
-
After the username and password is verified, the multifactor authentication process is initiated.
-
Since this is the first time the administrator logs in to Office 365 additional information is required. Click "Set it up now" to start the onetime process.
-
Enter one or more phone numbers and click "Save"
-
The verification process is started. A phone call will be initiated to the newly added phone number.
-
After the phone call is answered, an automated phone system requests to enter the "#" key to complete the process.
-
That's it, you're done! The phone is now added and multifactor is initiated every login.
Free advice: Also create an online administrator account without multifactor authentication. Enable the user, but keep the password hidden somewhere in a safe. Only this account when the multifactor service is not available for a longer period.
Conclusion: To me this proves Microsoft dedication for continuous improvement on Office 365 and although this feature is currently still in preview, my results so far are very satisfying.