• Download our FREE True Price of Office 365 Whitepaper
  • Give us a call: 877-788-1617

    Stay in the know with the MessageOps newsletter:

    Office 365 Multi-factor Authentication Best Practices

    By: Dave Romano

    In practice, multi-factor authentication (MFA) in Office 365 refers to dual-factor authentication, and since Microsoft will likely introduce additional options in the future hence MFA moniker.

    Once enabled, aside from entering username/password combo, users are also prompted to acknowledge a text message, phone call, or app notification interactively on their smartphone, tablet or other device.

    Given the fallout after the major MFA outage in November , when a lot of users across the world found themselves locked out of Office 365 portal here are some best practices to follow to ensure that all of the users that have MFA enabled do not get locked out.

    Create two or more emergency access “break-glass” admin accounts.

    The emergency access accounts should not be associated with any individual and not connected with any mobile phones or hardware tokens assigned to that account. These accounts should be created ad cloud only accounts within the Office 365 tenant.

    Exclude break-glass admin accounts from MFA

    Emergency access accounts will have to be excluded from MFA authentication requirements imposed by any access policies. Also make sure the accounts do not have a per-user MFA authentication policy.

    Create strong passwords

    Use randomly generated, 16-character minimum password length passwords. Set password to never expire.

    Keep passwords offline in a safe location

    Make sure to keep the emergency access account passwords printed/written on paper in a safe location. Make sure that these credentials are known only to key personnel that are authorized to use them.

    Test emergency access on a regular basis

    Include validating of the emergency access accounts as integral part of a disaster recover (DR) drills or perform it a few times a year. Validate emergency access accounts by signing in to O365 portal and performing admin functions. Ensure that the emergency break glass process is up to date and documented. Train the key staff and security officers on the DR process.

    For more information visit www.messageops.com or call 877 788 1617

    Ready to get started? Contact us today to learn more.

    CONTACT US