Have you enabled MFA in Microsoft 365? Regardless of length or complexity, passwords alone will not protect your account in most attacks!  

It has been two years of digital resilience. And Hybrid work has been a disruption. It is time to think about how to protect your business proactively. There is a need to find a scalable middle-ground for security. As Bret Arsenault, Microsoft’s CISO, said, “Hackers don’t break in. They log in.” 

Companies have been fast-tracking security to facilitate users to use their devices. But the question now is, how untrained users handle and share sensitive data?

Relax! This blog provides step-by-step instructions for you to understand how Microsoft made it easy to control external sharing.

Let us first briefly understand the Zero Trust Security model.

Digital Transformation Through Zero Trust?

Digital transformation changes the way you operate and makes you rethink your current approach to common issues. That said, continual adaptation to this constantly evolving environment raises a few doubts about securing your confidential data off-premises. Initiating a Zero Trust work environment may sound a bit stern, but let’s see how it works! 

The Zero Trust security model was designed in 2010 by the global research firm Forrester. Later, with the rise of smartphones, cloud-based technologies and software-as-a-service, Zero Trust security became increasingly prevalent. 

It gained traction in the early days of the pandemic. As external sharing grew exponentially, there was a surge of new, potentially unsecured devices as employees logged into corporate networks from home. The Zero Trust Security Model will eventually become the industry standard, which means everyone is on a Zero Trust journey. 

Microsoft’s Approach To Zero Trust 

Microsoft cloud technology has played a significant role in building a Zero Trust security framework around the concept of ‘never trust, always verify.’ The Zero Trust model is the core architectural principle in the design of Microsoft 365 and Azure, where end end-to-end visibility is the key.

Microsoft brings together threat intelligence, risk detection, and conditional access policies to automate response across all of the Zero Trust layers. And the protections span beyond the Microsoft cloud to hybrid or even multi-cloud environments. The fundamental of Microsoft’s policy is to work behind the scenes to keep users secure and undisrupted in their flow as they work. 

The Zero Trust principle leverages multifactor authentication (MFA) technology to manage user access based on continual verification. It does not cost any money, and there is no extra work to put it in place, and it is not complicated for the user. It is a box you check. Once you log in to Microsoft 365, it would be best if you turned this on.  

Let us look at the steps to enable MFA in Microsoft 365 below. 

1. Login to your Microsoft office account: Type your username and password and click sign-in. 
2. A dialogue box appears asking you, ‘Provide more information to keep your Office 365 account more secure.’ 
3. Click next to continue the process. 
4. A screen appears asking you to download the Microsoft authenticator app on your mobile. 
5. After downloading it, Choose the Next button. 
6. Choose the ‘allow camera’ option on your phone to complete the set-up correctly. 
7. After installing the app, scan the QR code displayed on the screen to keep it connected to your Microsoft account. 
8. It registers your app successfully against your account. After that, validate the process. 
9. It sends a notification from Microsoft authenticator, where you must click on ‘approve’ to move forward. 
10. After clicking approve, it confirms, ‘Notification approved.’ 

Now that one authentication method is done let us see the backup option, which is through SMS. 

1. It asks to provide your mobile number to send an SMS verification number.  
2. Choose the option you want, either SMS or a Microsoft call to verify. 
3. If you enter the SMS option, it sends a 6-digit code. And you have to enter the code and click next. 
4. After it completes, it confirms ‘SMS verified successfully.’ 
5. Now, you are ready to use Microsoft authenticator as a default sign-in for your account. 

How to enable MFA In Microsoft 365 For Users? 

1. Log in to the Microsoft admin centre using Global admin or privileged admin account credentials. 
2. Click Users and go to Active users. 
3. Go to the Multifactor authentication option, and click that. 
4. After clicking on the multifactor authentication option, it will show a window displaying the list of users and their MFA status. 
5. The authentication status is usually disabled because MFA is not enabled for all users. Select the users and click on the Manage user settings option on the right side. 
6. A pop up appears asking you to select the following options. A. Selected users must provide contact details again. B. Delete all existing passwords generated by the selected users. C. Restore multifactor authentication for all remembered devices. Admins can enable all the settings or any of these settings depending on their requirements. 
7. For the first time, you must allow all three settings and click the save button. This process will enable multifactor authentication for all the users. And for the next login, it authenticates every user through the authentication method. 
8. On this page, the admin can customize the authentication for the end-user experience. There are two settings available: App password settings and Trusted IPs. Admins can select the options depending on their requirements. 
9. Verification methods for MFA are- A. Call to mobile. B. Text message to the mobile. C. Notification through the mobile app. D. Verification code from mobile app or hardware token (can be a USB security key attached to the computer device). Admins can enable all the settings.
10. After that, it displays an option ‘remember multifactor authentication on a trusted device.’ It enables the feature, ‘Allow users to remember multifactor authentication on the devices they trust.’ By default, it is 90 days. Admins can enter any number of days between one to 365. The last step is to click on the Save button after enabling all the settings. 

Enabling MFA In Microsoft 365 Is A Priority!

The 2020-2021 pandemic and the resulting move to remote working have accelerated the need to implement Zero Trust Security. Indeed, data footprints have expanded to sit off-premises in the cloud or across hybrid networks. And companies started embarking on the Zero Trust journey to address a more holistic set of attack vectors. 

Over time, settings can age, and new attack scenarios develop. And new security controls will be available. It necessitates regular review, upkeep, modifications, and even removal of old configurations. We are on a journey to make it easier to understand all the configuration gaps in your environment.