Office 365 App Passwords and Multi-Factor Authentication: Complete Overview

Tutorials

The number of social engineering attempts and phishing attacks has been on the rise for years. Moreover, cybercriminals have been quick to take advantage of any newly discovered software vulnerabilities. One simple way to minimize the risks of a breach and to strengthen access security is using multi-factor authentication (sometimes called two-factor authentication) for logins in addition to a username and a password.

In Microsoft Office 365 environments, multi-factor authentication is supported. It allows you to implement stronger access requirements in accordance with your organization’s security policy. Discover more about multi-factor authentication and how to use it in Office 365 applications.

What is Office 365 App Password?

Office 365 App Password is a special code that allows you to access your Office 365 account and Office 365 applications. It is related to Azure multi-factor authentication configuration. You should separately generate app-specific passwords for each device that you use to access Office 365 applications, but the same Office 365 app password can be used on the same device.

Office 365 app password is the alternative to multi-factor authentication for applications that cannot natively support MFA and for non-browser applications.

Create an App Password for Office 365

  1. Click your avatar or user icon in the right top corner and then click the My account option.
  2. In the Security & privacy menu find the Additional security verification option. Click Create and manage app passwords.

    Configuring Security and privacy to set Office 365 app

  3. To make this option available, sign in to the Azure portal and check the Multi-factor authentication settings page.
  4. Select the Allow users to create app passwords radio button.
  5. In the account options, select App password and click Create to create Office 365 app password.
  6. Enter the name for Office 365 app password, for example, Outlook365. Copy the generated password to the clipboard and save it in a safe place or write down the Office 365 password manually.
  7. After you generate app-specific passwords, you can apply them to Office 365 applications such as Outlook to log in.

What Is Multi-Factor Authentication?

Multi-factor authentication (MFA) is a method to confirm the identity of a user by requiring multiple credentials before authorization and before providing access to a website, application or other resources.

Two-factor authentication involves 2 steps:

  1. The user has to enter information that only they know.
  2. The use has to confirm their identity by providing additional information that can only be accessed by them, for example, a confirmation call, SMS code, USB key, fingerprint, face image, etc.

Generally, the types of information used by MFA can be classified into three types:

  • Knowledge – something you know (a password, pin code, etc.)
  • Possession – something you have (a cell phone, USB key, smart card, token, etc.)
  • Inheritance – something you are (biometric data such as fingerprint, your eye, your face, etc.)

With MFA used, a system can ensure that the real user is entering the username and password and not a malicious actor who has compromised the user’s account by stealing the username and password. MFA is highly recommended for internet banking. However, if the information in your Office 365 documents and your Office 365 email account is very important to you, you can also configure MFA for Office 365.

Sometimes two-factor authentication, which is a subset of multi-factor authentication, and two-step verification are mixed up (and cause confusion). Although both are used for similar purposes to confirm the user’s identity, they differ in an essential way:

  • Two-step verification relies on the user entering something that only they know, for example, a password with the additional step before being granted access involving an element of the same category (for example, two keys, two passwords, etc.). This type of verification always uses something only you know as the first step, and the combination of something you have and something you are is never used.
  • Two-factor authentication requires two elements from different categories – for example, the user has to enter something they know and something they have.

Using multi-factor authentication and two-step authentication may be inconvenient. For example, you may forget to take your phone with you or you may lose your phone, making authentication more complicated.

Types of MFA for Office 365

Office 365 offers three main types of MFA:

  • Authentication phone: SMS or call
  • Office phone
  • Mobile app: Receive notifications for verification or use verification code

How to Enable MFA for Your Office 365 Account

If you use Office 365 in your organization, MFA must be enabled for the organization or for separate users who need this option. After that, a user can set up the multifactor authentication for the Office 365 account.

  1. Go to the web page to authenticate in Office 365: https://login.microsoftonline.com.
  2. Log in as Administrator to Office 365.
  3. Go to Office 365 Admin Portal by selecting the Admin icon or by entering the web address in the address bar of your web browser manually: https://admin.microsoft.com/Adminportal/.

    Selecting Office 365 admin center

  4. In the left pane of Microsoft 365 admin center, click Active users. In the list that opens, select the account for which you want to configure two-factor authentication. In this example we will configure Office 365 MFA for Michael Bose.

    Office 365 active users

  5. Let’s select Michael Bose. In the account options that open, click Manage multifactor authentication in the Account tab.

    User account options in Office 365

  6. In the new screen that opens, a list of Microsoft Office 365 accounts appears. The accounts are organized in a table with three columns: Display Name, User Name and Multi-Factor Auth Status. As you can see on the screenshot below, by default the MFA status is “Disabled” for all accounts. Let’s enable MFA for one user.
  7. Select the required account again (Michael Bose in this case), select the appropriate checkbox at the username, and click Enable.

    Enabling multi-factor authentication in Office 365

  8. The About enabling multi-factor auth pop-up message is displayed:

    If your users do not regularly sign in through the browser, you can send them to this link to register for multi-factor auth: https://aka.ms/MFASetup

  9. Copy and save this link. You will need to provide this link to users to finish configuring MFA for Office 365.

    How to enable MFA in Office 365

  10. A user for whom the admin has enabled MFA must log into Office 365 by using the web address https://login.microsoftonline.com.

    Note that the step-by-step guide below describes the actions taken by the user, not by the admin who has configured MFA.

  11. Open the security verification page by using the link https://aka.ms/MFASetup (that you saved earlier).
  12. Provide the correct information in a few steps.

Step 1: How should we contact you?

In the drop-down menu you can select:

  • Authentication phone
  • Office phone
  • Mobile app

Let’s select Authentication phone. You have to enter a valid cell phone number and select the second authentication method:

  • Send me a code by text message
  • Call me

If you select to send a code by text message (SMS) or by calling you, you may be charged according to your mobile operator rates. Let’s select the first option (Send me a code by text message). Hit Next.

Additional security verification in Office 365

Wait for a few seconds.

Step 2: We’ve sent a text message to your phone

  1. You will receive a verification code via SMS to your cell phone. Enter that code in the appropriate field as shown in the screenshot below. Click Verify.

    Entering a confirmation code sent via SMS

  2. Wait for a while until verification is complete.

    Office 365 account verification is successful

  3. If verification is successful, hit Done, and you will be redirected to the Office 365 login page. A verification code will now be sent to your cell phone via SMS.
  4. Enter that code in the appropriate field as shown on the screenshot. Hit Verify to sign in.

    NOTE: If you selected the Call me option, usually you should answer the call and press the # sign.

    Entering a verification code sent via SMS to sign in Office 365

Now Office 365 multi-factor authentication is configured and you can use it each time after entering your username and password. You are redirected to the page with additional security verification options where you can modify the settings. Don’t forget to take your phone and don’t lose your phone to be able to pass Office 365 authentication successfully.

Office 365 additional security verification options

Conclusion

Multi-factor authentication and Office 365 app passwords are additional security options for authentication. Multi-factor authentication improves security but takes additional steps to authenticate. Use MFA when you are not sure that using a username/password pair is enough for you in terms of security. You can generate Office 365 app passwords if for some reason you don’t trust the classic username/password authentication method and if native multi-factor authentication methods cannot be applied in your situation.

However, even if your security configuration is strict, having a backup is always a good idea. Consider using a dedicated Microsoft 365 backup software to protect your data and ensure point-in-time restores.

Source:
https://www.nakivo.com/blog/office-365-app-password-and-multi-factor-authentication/