January 29, 2020 Knowledge Center Office 365

Mandatory Multi-Factor Authentication, Microsoft 365, and Conditional Access

Reading Time: 3 minutes

Editor’s Note: This article was published in January of 2020 and has been updated for accuracy and comprehensiveness as of November 2020.

For Microsoft 365 customers, Multi-Factor Authentication (MFA) will soon no longer be optional. Recently, Microsoft announced that they will be enabling Multi-Factor Authentication by default for all of their business customers using a feature they call “Security Defaults.” SUCCESS Computer Consulting looks at what this means, and how conditional access can offer an alternative.

What is Multi-Factor Authentication and how will it impact me?

In practical terms, this means that every user will be prompted to register at least two methods for verifying their account, besides a password. Text messages to your mobile device are one option for MFA. Another option is using an authentication app such as Google or Microsoft authenticator, which are available for free in your app store.

A photo showing where to find the control panel to set up security defaults and conditional access through your mobile device.

After this registration is done, when you sign into any Microsoft 365 services, for instance by browsing to https://portal.office.com, you will be prompted for your password like usual, and then you will receive a push notification on your phone asking you to approve the sign-in request.

An example of Multi-Factor Authentication screen that can be achieved through conditional access or Microsoft Office 365 security defaults.

Note: With the Security Defaults in place, it is not possible to make any exceptions, even for emergency access accounts or service accounts (for example, when an application or multi-function printer device is sending email on your behalf).

When will this start happening?

MFA registration will start happening slowly—at first only for new customers signing up for the service. Microsoft has already started this process with a percentage of new users. Eventually, 100% of new onboarding customers will be enabled for the Security Defaults. Microsoft will start with those who have never enabled MFA for any accounts.

Microsoft has not announced a timeline for when they will begin to transition existing customers, but we are keeping a close eye on it.

What are my choices? Can I opt-out?

The Security Defaults will be the “out of box” experience. But remember: it’s not possible to make individual exceptions to this (it’s either completely off for everyone, or completely on). If the Security Defaults work for your business, then SUCCESS can turn this experience on at any time. We can provide your staff with a walk-through PDF guide and enable it easily before Microsoft does it for you.

However, you have the ability to create your own custom sign-on experience using a feature known as Conditional Access. When you enable Conditional Access, you will be able to make modifications to your security policies as needed. When you do this, you are automatically disqualified from using the security defaults feature.

A picture of the settings showing that conditional access and security defaults can't be on at the same time.

Conditional Access allows you to write custom security policies, with exceptions as needed for service accounts, emergency access accounts, and more. Here are some quick examples of the structure of Conditional Access rules:

More Options Through Conditional Access:

Here we have much greater flexibility to grant, deny, or limit access under specific circumstances. And we can make exceptions! For example: 

  • Be very strict with admin accounts and require MFA more frequently
  • Exclude service accounts from the MFA requirement 
  • Exclude emergency access accounts from MFA and other restrictive requirements
  • Treat browser access more cautiously, especially on unmanaged devices (e.g. block download)
  • Allow users to meet the MFA requirement OR device compliance if they have managed devices 

There are many ways to implement security that is tailored to specific situations—but it requires “opting in” for Conditional Access.

This feature is available with any Microsoft 365 plan. So, if you are still on a legacy Office 365 subscription plan such as Microsoft 365 Business Standard or Office 365 Enterprise E3, consider upgrading to Microsoft 365 Business Premium soon—it has many other “business-friendly” protections designed specifically for the cloud-first, mobile-first era.

While MFA requires an additional step to the login experience, its security benefits far outweigh the inconvenience to end-users. If you have any questions about multi-factor authentication, your Microsoft Office 365 subscription plan, and how it will affect your end-users, contact SUCCESS at (763) 593-3000.