Office 365 Multi-factor Authentication Best Practices
By: Dave Romano
In practice, multi-factor authentication (MFA) in Office 365 refers to dual-factor authentication, and since Microsoft will likely introduce additional options in the future hence MFA moniker.
Once enabled, aside from entering username/password combo, users are also prompted to acknowledge a text message, phone call, or app notification interactively on their smartphone, tablet or other device.
Given the fallout after the major MFA outage in November , when a lot of users across the world found themselves locked out of Office 365 portal here are some best practices to follow to ensure that all of the users that have MFA enabled do not get locked out.
Create two or more emergency access “break-glass” admin accounts.
The emergency access accounts should not be associated with any individual and not connected with any mobile phones or hardware tokens assigned to that account. These accounts should be created ad cloud only accounts within the Office 365 tenant.
Exclude break-glass admin accounts from MFA
Emergency access accounts will have to be excluded from MFA authentication requirements imposed by any access policies. Also make sure the accounts do not have a per-user MFA authentication policy.
Create strong passwords
Use randomly generated, 16-character minimum password length passwords. Set password to never expire.
Keep passwords offline in a safe location
Make sure to keep the emergency access account passwords printed/written on paper in a safe location. Make sure that these credentials are known only to key personnel that are authorized to use them.
Test emergency access on a regular basis
Include validating of the emergency access accounts as integral part of a disaster recover (DR) drills or perform it a few times a year. Validate emergency access accounts by signing in to O365 portal and performing admin functions. Ensure that the emergency break glass process is up to date and documented. Train the key staff and security officers on the DR process.
For more information visit www.messageops.com or call 877 788 1617