No excuses: You must use Multi-Factor Authentication with Office 365

Wouldn’t it be great if there was a relatively simple way of eliminating around 90% of the online threats that your business will encounter? Well, here’s the good news folks—there is.

It’s called multi-factor authentication (or MFA). Properly configured MFA completely removes the threat of a data breach resulting from a compromised password—a very attractive proposition since around 90% of cyber-attacks on businesses rely on compromised passwords.

Considering that 100 million identities are attacked every month and given that 50,000 corporate identifies are compromised every month, it would be foolish to assume that your business isn’t a target and that you’re not likely to be attacked—because you are.

Even if you’re using MFA with Office 365 already, read on to make sure you’ve covered some of the vulnerabilities that will remain if you don’t address them properly.

What is MFA?

For those that don’t know what MFA is, here’s the background info for context:

Passwords have proliferated across our online lives—they’re required for every single website and web application you use. As you know, this can be quite the headache—no one enjoys clicking the ‘forgotten password’ link and having to reset it for the umpteenth time. Historically, we used the same old trusty password for everything (and 59% of people still do). Then we realised how insecure passwords were and the more diligent of us moved to multiple passwords of higher complexity.

However, no matter how complicated your passwords are, there is always the threat of a brute force or spray attack cracking your password, a phishing email catching you out, or a data breach involving a company your details are registered with. Before you know it, your details could be for sale on the dark web. Want to see if your email addresses have ever been compromised? Check here at — it takes just a few seconds. You can also take this quiz from Google to see if you can spot a phishing email.

This is where MFA comes in. MFA allows you to add a second form of identity verification to your accounts in addition to your password—your password is the thing you know. The second form of identification must be something unique that you have (e.g. your phone or a FIDO2 security key) or something that you are (e.g. a biometric such as your fingerprint). These are common secondary verification factors. This means that even if your password details fall into the hands of an attacker, they can’t get in to your accounts without something unique to you like your mobile phone or fingerprint. These are not easy to get hold of for anyone, let alone a hacker who’s in Russia or China.

Typically, an average MFA system will generate a unique code each time you attempt to login—with the code being associated with your account. For example, you would enter your password and then you would be prompted to enter a code that will be sent to your phone via an SMS text or an email.

However, SMS MFA is not something your business should rely on. While it’s better than leaving MFA turned off, hackers can intercept SMS messages with relative ease—due to an ageing global phone-routing-system and the possibility of SIM Swap attacks.

The latest and more secure version of MFA will send an approval notification to an authenticator app on your mobile device which allows you to simply click ‘approve’ or ‘deny’ to the request. You can quickly tap the prompt and you’ll be granted access.

MFA for Office 365

If your company uses Office 365, it is critical that you implement MFA—which is included in all plans. Office 365 accounts are extremely common targets for hackers; it doesn’t matter if you work for a small business or a global corporation, hackers will randomly attack accounts just because they are using Office 365. If configured with MFA, the vast majority of these attacks are unlikely to amount to anything.

To use MFA with Office 365, the easiest and quickest method requires the installation of the Microsoft Authenticator app on a mobile device. This can be an employee’s work or personal device; it just must be the device which they will always have with them when logging into their Office 365 account.

User experience

Personally, I am a firm believer that MFA offers a good user experience. When I log in to Office 365 with my account password, I’ll be notified that I need to accept an MFA prompt on my phone. Then I must simply unlock my phone and click ‘approve’. If I tick “Don’t ask again for 14 days”, I won’t need to do this again when logging in to Office 365 from the same device for the next 14 days. That’s a good user experience in my eyes; the security benefits more than justify the minimal effort required to approve the notification.

If employees aren’t happy with the idea of having to accept a notification, you have the option of paying for an Azure AD Premium P1 licence (as a minimum), which gives you the option of adding trusted IPs to your MFA. A trusted IP means you could essentially exempt the company office from having to respond to MFA prompts—it would only be the employees working remotely (on different IP addresses) that would have to respond to the prompts.

Employee buy-in

IT managers are often fearful of potential kickback from employees if they are asked to install a work-related app on their personal device. While the Microsoft Authenticator app can quickly be downloaded from the likes of Google Play or the Apple store etc. (i.e. public consumer app stores), some employees may take exception to you asking them to use some of their device’s storage space for something company related. It’s probably worth noting that Microsoft Authenticator only uses 27.38 MB on my Android device.

It’s crucial that you educate your employees on the importance of MFA; A data breach poses a threat to the company’s reputation and could carry potential penalties under GDPR from the ICO (Information Commissioner’s Office). Company funds or key client data could be stolen. While employees may not feel it is their responsibility to safeguard such things—it is. A single compromised Office 365 user account gives an attacker the keys to your kingdom. When it comes to security, everyone must play a part—not just IT. Otherwise, people’s jobs and the company’s future could be on the line.

Beware legacy protocols

While setting up MFA in Office 365 is a big step in the right direction, a few key security vulnerabilities will remain. Within Office 365, some legacy protocols exist which are not compatible with MFA. Therefore, MFA will not prompt if you attempt to gain access via these legacy applications such as:

  • Older Office clients that do not use modern authentication
  • Clients that use mail protocols such as IMAP/SMTP/POP

Spray attacks (which involve an attacker ‘spraying’ forced password breaches across thousands of accounts) are particularly focussed on legacy authentication protocols.
This is not an issue if you have an Azure AD Premium P1 licence (or a more comprehensive Microsoft security offering such as Enterprise Mobility + Security). Azure AD Premium P1 includes the option of using conditional access. Conditional access allows you to block legacy authentication from users, essentially plugging those remaining gaps in your security where MFA isn’t available.

We cannot stress enough how important it is to block legacy protocols. We monitor our clients’ accounts and the data couldn’t be clearer: businesses of all sizes are being attacked—again and again. Those that take their security seriously are well equipped to deal with it and business continues as usual.

Next steps

If your business is using Office 365, you need to roll out MFA.

There isn’t time for the business to procrastinate over issues like user experience or employee buy-in. The business case is already in front of you: You’re already paying for Office 365, you have MFA and it can protect you from 90% of the attacks on your accounts, which are ultimately inevitable. This is the absolute minimum that a business should be doing.

We strongly recommend that you protect yourself from the threats associated with legacy protocols by paying for conditional access. While we usually recommend Microsoft’s Enterprise Mobility + Security (EMS) package (which is full of value and available at £6.60* per user per month for an E3 licence), those with a limited budget may decide to look at Azure AD Premium P1 licences which include conditional access and trusted IPs (plus more) and are available at £4.50* per user per month.

*Costs correct at time of writing, Feb 2019 but subject to change by Microsoft.

Need a helping hand?

Security can be very tricky to keep pace with. Cloud technologies are evolving in capability and complexity every day and the threat-surface is huge. As a Microsoft Gold Partner, we know how much there is to keep on top of. If you’d like some help from experts in security and cloud, please don’t hesitate to get in touch for a chat with one of our friendly consultants.