Feb 20 2014

Multifactor Authentication for Office 365 Expanded to Regular Users

Microsoft expands security capabilities beyond administrators.

Last June, Microsoft brought multifactor authentication — which expands the requirements for logging into Office 365 beyond simply entering a password — to Office 365 administrators. Last week, it extended that capability to subscribers to its cloud-based Office solution for PCs, Macs and mobile devices.

According to a Microsoft blog post, multifactor authentication is now available for Office 365 Midsize Business, Enterprise, Academic, Nonprofit and stand-alone plans, including Exchange Online and SharePoint Online.

Once multifactor authentication is enabled, users will be required to respond to either a text message or an app notification on their mobile device. After that second factor has been approved the user will then be able to sign in to his or her account.

“This addition of multifactor authentication is part of our ongoing effort to enhance security for Office 365, and we’re already working on Office desktop application improvements to multifactor authentication for Office 365,” writes Paul Andrew, a technical product manager on the Office 365 team. “Office 365 offers many robust built-in security features for all customers and also optional controls that enable subscribers to customize their security preferences.”

Administrators enroll users for multifactor authentication in a new section of the Office 365 admin center. It is there they select which users get this type of strong security authentication. Once that happens, the next time users log into their Office 365 accounts, they will be required to configure their second factor, which each individual user selects and personalizes from the list of options that Microsoft provides:

  • Call to mobile phone. The user receives a phone call that asks them to press the pound key. Once the pound key is pressed, the user is logged in.
  • Text code to mobile phone. The user receives a text message containing a six-digit code that must be entered into the portal.
  • Call to office phone. This enables the user to select a different phone if they do not have their mobile phone with them.
  • Notify through app. The user configures a smartphone app and receives a notification to confirm the login. Smartphone apps are available for Windows Phone, iPhone and Android devices.
  • Show one-time code in app. The user enters the six-digit code that allows entry into the portal.

Every succeeding login will then require the user’s password and the chosen second factor before they are allowed into their Office 365 account.

According to an article in Redmond Magazine, with last week’s announcement, Microsoft is simply extending a subset of the multifactor authentication services available for Windows Azure since last September to Office 365 subscribers. However, Windows Azure charges $2 per user per month for its multifactor authentication service while Office 365 doesn’t.

Note that the Azure version offers more in the way of features — for example, Windows Azure’s multifactor scheme includes controls to block/unblock users, plus the ability to generate fraud alerts and reports as well as customize settings, and a software development kit.