How to Manage MFA Strengths in M365

With the ever-growing threat of cyberattacks, it is essential to protect your data and information. Multi-factor authentication (MFA) is an ideal way to strengthen your security and protect your information from unauthorised access.

This guide will take you through the steps required to enable MFA in Microsoft 365 and provide you with the necessary tools and information to ensure your security is up to date and protected.

What is multi-factor authentication?

Multi-factor authentication (MFA) is an authentication method that requires the user to provide two or more pieces of authentication to verify their identity before they can access an account.

Multi-factor authentication is often broken down into two categories: Something you know, and something you have. Something you know refers to a login password or PIN. Something you have can be in the form of an app on your mobile device that generates a one-time code, a token/key fob, a biometric device, or a dedicated hardware device.

Why do you need advanced MFA settings?

You may think that enabling MFA is sufficient to protect your data and users. However, you may be missing an opportunity to strengthen your security further with the use of more advanced MFA settings. Microsoft claims that MFA can help prevent 99.9% of account attacks; advanced MFA settings will strengthen your security posture even more.

Advanced MFA settings allow you to specify MFA settings for specific users and groups, as well as set Expiration and Retry Rules. By enabling these more advanced settings, you can control the MFA experience for your users and ensure that your data is as secure as possible.

How to set up MFA in Microsoft 365

Microsoft 365 supports MFA through verification codes sent to the user’s phone, phone calls, or through the Microsoft Authenticator app. As an admin, there are three ways you can set up MFA in M365 for your users: security defaults, conditional access, and legacy per-user MFA.

Security defaults

By turning on Microsoft 365’s security defaults, you will enable pre-configured security settings provider by Microsoft to help protect your business from identity-related attacks. This will include automatically enabling MFA for all user accounts, including admins.

To turn on security defaults:

• Log into the Microsoft 365 Admin Center with either security, conditional access, or global admin credentials.
• Navigate to the Azure Active Directory portal, found under Admin Centers.
• On the Azure AD page, select Manage > Properties from the dashboard. Navigate to Manage Security Defaults.
• Select Yes.

Conditional access

Conditional access allows you to create specific policies with complex security requirements tailored to the needs of your business; for example, you can create policies to determine whether or not users will be granted access when their sign-ins are evaluated under the conditions you have specified.

You can also assign MFA requirements based on group memberships instead of configuring the settings for individual accounts.

To enable MFA with conditional access:

• Sign into the Azure portal with Global account credentials and navigate to Azure AD.
• Select Security > Conditional Access > + New Policy, and create a name for the new policy.
• Select Assignments > Users and Groups, and click on Select users and groups.
• Tick the box labelled Users and groups, and click Select to view the Azure AD users in your environment.
• Select the users and groups you want to apply the new policy to, and click Done.
• Next, navigate to Cloud Apps or Actions from the previous Users and Groups page.
• Choose to apply the new policy to all apps, or individual apps.
• When you have selected all the relevant apps, select Microsoft Azure Management > Select > Done.
• Next, under Access Controls, navigate to Grant and select the Grant Access button.
• Select the box labelled Require multi-factor authentication > Select.
• Toggle Enable Policy to On, and select Create to apply the conditional access policy you previously created.

Legacy per-user MFA

This option is the most cumbersome of the three, as you will have to configure each individual account’s settings.

To configure the user’s settings:

• Log into the Azure portal with Global admin credentials.
• Navigate to Azure Active Directory > Users > All Users.
• Select Multi-Factor Authentication.
• Each user will be in one of three states regarding MFA: disabled, enabled, and enforced.
• Find the user you want to enable MFA for, and check the box beside their name.
• Under Quick Steps, choose enable or disable, and confirm your choice in the pop-up window.

Microsoft does not encourage changing a user’s status to enforced unless they have registered.

Manage MFA strengths

Once you have configured MFA to your specific business requirements, you can manage the strength. Microsoft 365 allows admins to create up to 15 custom authentication strengths.

To create custom MFA strength:

• Log into the Azure portal.
• Navigate to Azure AD > Security > Authentication Methods > Authentication Strengths.
• Select New authentication strength.
• Name and describe the new policy.
• Choose the combination of MFA you require, i.e. certificate based authentication, temporary access pass, etc.
• Review your selections, and save before exiting.

Customise your Microsoft 365 MFA strengths with expert guidance

Managing the strengths of your MFA settings will ensure increased security for your M365 user accounts, but knowing which custom settings to apply may take trial and error methods that you don’t have time for.

The Microsoft 365 specialists at Essential Tech can help you configure MFA settings that will suit your business needs, users, and ensure an increased security posture the first time around. Talk to them today.