What prevents passwordless authentication

Multi-factor authentication - increase data protection in Microsoft Office 365

Multi-factor authentication - increase the protection of data in Microsoft Office 365 with little effort

Multi-factor authentication as part of Microsoft Office 365 or Azure Active Directory is a fundamental protection factor for company data. As an Office 365 administrator, multi-factor authentication can be activated for individual or all users with just a few clicks or via PowerShell.

Let us assume that important business data is stored in the application and that the application has no security gaps and is as technically secure as possible. In this case, the data can only be accessed through the identity with which the application is accessed. Authentication usually takes place using a user name and password. Anyone who knows the username and password has access to company data. Why hack through firewalls, network zones and system vulnerabilities when identities (user names and passwords) can be found out through social engineering / social hacking (e.g. phishing), brute force attacks, keyloggers and the like?

It is therefore in the interests of an IT security strategy to protect identities as best as possible. So-called two-factor or multi-factor authentications (MFA), which we have long been familiar with from online banking, for example, are a very tried and tested approach to significantly increasing the protection of identities.

In this post I show how access to company data in Office 365 can be made more secure through integrated multi-factor authentication.

Activation of multi-factor authentication in Office 365 or in the Azure Active Directory client

In principle, multi-factor authentication is a self-service, but it is deactivated by default and must first be activated for the user. The starting point is the user management in the Office 365 client:

The actual configuration of the multi-factor authentication takes place via the Office 365 client in the associated Azure Active Directory. There, multi-factor authentication can be activated for single or multiple users:

That's it. The status Activated means that the MFA has been activated but not yet configured by the user. After the configuration has been completed by the user, the status changes to Forced.

Of course, these settings can also be set using PowerShell. In Azure Active Directory there are additional multi-factor service settings that can be configured if necessary:

Further settings can be made in the Azure Active Directory portal. Among other things, the configuration option for trustworthy IP addresses - often called IP whitelist - is very useful. This allows IP address ranges to be defined. If you log on to Office 365 from a trustworthy IP, multi-factor authentication is not required. Here - after weighing the advantages and disadvantages - the outbound IP address of a company, for example, can be entered. Before doing this, it should be ensured that potential attacks such as social hacking, brute force attacks or keyloggers are otherwise prevented in the company network.

What does multi-factor authentication look like from the user's point of view?

First set up of multi-factor authentication

After the multi-factor authentication has been activated for an account, the user has to set it up once for himself. After MFA has been activated, the first step in authentication is the so-called identification. The user has to identify himself so that the authentication can be carried out using the second factor based on the defined settings.

There are various options for registering the second factor. I personally prefer authentication using the mobile app and show how it works here. Alternatively, a 6-digit one-time PIN can be sent to a cell phone or an automated phone call can be triggered, which must then be accepted and confirmed with the hash (#). Of course, it is possible to change the preferred option for two-factor authentication or to register additional mobile devices at any time.
There are two variants when using the mobile app for authentication:

  • Acknowledgment of a notification: This is the most convenient and fastest way of multi-factor authentication. After identification, a notification is sent on the mobile app, which must be confirmed.
  • Use of a verification code: With this method - similar to classic hardware-based token solutions - a OneTime PIN (OTP) generated on the mobile app that expires after 30 seconds must be used as a second authentication factor.

Both variants require that the mobile app is registered on a smart phone (Windows Phone, iOS or Android). This is done as follows:

  1. Selection: notification or verification code


  1. Registration of the mobile app. The Azure Authenticator app must be downloaded from the app store onto the respective smart phone, after which the app can easily be connected to the corresponding user profile by taking a photo of a QR code or entering a code, if the QR code cannot be scanned produce.

    3. After registering the mobile app, an additional security check is carried out. Here the mobile app is used for the first time for authentication.


The language of the Azure Authenticator App is automatically based on the language of the login dialog in Office 365. In the example above you can also see that the Azure Authenticator App is multi-tenant, ie the mobile app can authenticate to different Office 365 tenants or Azure Active Directory based applications are used.

4. If not already done, an additional security check has to be configured. This is necessary, for example, to carry out a self-service password reset if necessary.

5. An app password is displayed before completion. This is a kind of fallback / compatibility feature so that classic applications that do not support multi-factor authentication can continue to be used. When using the app password, there is no multi-factor authentication, but authentication takes place using the generated, strong app password.

Change of the multi-factor authentication settings

Of course, the user can also change the multi-factor authentication settings later. This is necessary if, for example, you want to use a different smart phone or a different telephone number for SMS-based authentication. The MFA settings are in the Office 365 Settings in the area Settings to find:

Use of the app password

The app password is required for applications that do not (yet) support multi-factor authentication. One of these applications is Skype for Business in the desktop version. If you try to log in with your normal password, this error message appears:

App passwords can be created in Office 365 Settings> Settings:

The login for Skype for Business works with the app password.
Use of multi-factor authentication for access to Office 365 / Azure Active Directory using PowerShell is not possible.

questions and answers

For which identity types is Azure Multi-Factor Authentication possible?

In general, it can be said that multi-factor authentication can only be provided by the respective authentication or identity provider.
In the Office 365 environment, a distinction is made between three types of identity:

  • Cloud identity: The identity provider for these identities is Azure Active Directory. The multi-factor authentication of Office 365 / Azure Active Directory can be used for these identities
  • Federated Identity: These identities authenticate against another identity provider, e.g. against the company's own ADFS service. Office 365 / Azure Active Directory multi-factor authentication cannot be used. However, an ADFS server can also perform multi-factor authentication if it has been configured accordingly. In order to use the Azure Active Directory multi-factor authentication for an ADFS service, a so-called multi-factor authentication server must be installed.
  • Synchronized Identity: These identities use a same sign-on, i.e. the user authenticates with his company password against Azure Active Directory. In this case, Office 365 / Azure Active Directory multi-factor authentication can be used.


Is the mobile app multi-tenant?

Yes, the mobile app is multi-tenant, i.e. the Azure Authenticator app can be used for authentication on different Office 365 tenants.

Why do you need the app password?

The app password is required because not all applications currently support multi-factor authentication. The app password is generated and in most cases is significantly stronger than a password that the user thinks up.

How can I change the multi-factor settings?

The settings, such as the preferred authentication method, are in the Office 365 Settings changeable.

With multi-factor authentication - is everything secure now?

No! The multi-factor authentication only prevents someone from logging into an application with a login and password.
For example, the MFA does not protect against an authenticated and authorized user taking data out of the application and passing it on to third parties. Solutions such as Information Rights Management in SharePoint or Azure Rights Management are recommended for this.
MFA also does not protect if a user leaves the company and the identity is not deactivated. Multi-factor authentication also requires identity lifecycle management.

Conclusion & recommendation

Multi-factor authentication as part of Office 365 or Azure Active Directory is a fundamental protection factor for company data. As an Office 365 administrator, multi-factor authentication can be activated for individual or all users with just a few clicks or via PowerShell. The one-time registration of the second authentication factor by the user is completed in a few minutes and is self-explanatory. In addition, extensive help and videos from Microsoft are offered in the dialogs.
I myself protect my Office 365 identity and thus access to company data through multi-factor authentication and quickly got used to confirming the authentication request via the mobile app. The multi-factor authentication works perfectly in the applications Office, OneDrive, Skype, OneNote, etc. on both desktop and smart phones (intensively tested with iOS and Windows Phone). The time lost per authentication is less than 10 seconds - for me it is worth protecting my identity. However, you shouldn't leave your smart phone at home J
The only point of criticism is that currently most, but not all Microsoft applications support Microsoft multi-factor authentication. Outlook 2016 and Skype for Business currently require the app password. This can create a bit of confusion when setting up.