Looking for specific instructions for enabling and configuring MFA for Ofice 365 users

%3CLINGO-SUB%20id%3D%22lingo-sub-1200717%22%20slang%3D%22en-US%22%3ELooking%20for%20specific%20instructions%20for%20enabling%20and%20configuring%20MFA%20for%20Ofice%20365%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1200717%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20like%20to%20enable%20MFA%20for%20my%20Microsoft%20365%20clients%20but%20have%20a%20few%20questions%20about%20how%20to%20do%20this.%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20When%20enabling%20MFA%2C%20how%20to%20do%20enable%20multiple%20methods%20for%20MFA%20(i.e.%20hardware%20key%2C%20biometric%2C%20text%20to%20mobile%2C%20Microsoft%20Authentication%2C%20etc.)%3F%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20What%20is%20the%20method%20of%20MFA%20called%2C%20when%20a%20user%20must%20match%20a%20two%20digit%20number%20shown%20on%20screen%2C%20with%20one%20of%20three%20options%20shown%20on%20their%20mobile%20device%3F%3CBR%20%2F%3E%3CBR%20%2F%3E3.%20Is%20there%20a%20way%20to%20also%20implement%20MFA%20with%20Microsoft%20desktop%20applications%20such%20as%20Outlook%2C%20Teams%2C%20OneDrive%2C%20etc.%20so%20that%20the%20user%20must%20confirm%20an%20MFA%20method%20when%20launching%20the%20apps%20from%20their%20Windows%2010%20laptop%2Fdesktop%2C%20even%20if%20they%20have%20already%20had%20to%20use%20MFA%20to%20get%20past%20the%20Windows%2010%20login%20screen%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1200717%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Emfa%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1200930%22%20slang%3D%22en-US%22%3ERe%3A%20Looking%20for%20specific%20instructions%20for%20enabling%20and%20configuring%20MFA%20for%20Ofice%20365%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1200930%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20two%20primary%20ways%20of%20enforcing%20Azure%20MFA%20(there%20is%20another%20way%20too%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-active-directory-identity%2Fintroducing-security-defaults%2Fba-p%2F1061414%22%20target%3D%22_self%22%3ESecurity%20Defaults%3C%2FA%3E)%2C%20this%20may%20depend%20on%20what%20licensing%20is%20available%2C%20either%20enabling%20it%20per%20user%20or%20using%20Conditional%20Access%2C%20this%20link%20talks%20about%20the%20two%20options%20and%20and%20how%20to%20enable%20per-user%20Azure%20MFA%2C%20which%20is%20the%20more%20basic%20approach%20-%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-userstates%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-userstates%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20more%20specifics%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fmicrosoft-365%2Fadmin%2Fsecurity-and-compliance%2Fset-up-multi-factor-authentication%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fmicrosoft-365%2Fadmin%2Fsecurity-and-compliance%2Fset-up-multi-factor-authentication%3Fview%3Do365-worldwide%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20explains%20the%20licensing%20differences%20and%20requirements%20%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-mfa-licensing%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-mfa-licensing%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20best%20and%20most%20granular%20experience%20is%20using%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Ftutorial-enable-azure-mfa%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EConditional%20Access%3C%2FA%3E%2C%20which%20Microsoft%20recommend%20but%20that%20requires%20Azure%20AD%20Premium%20and%20also%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-registration-mfa-sspr-combined%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ecombined%20registration%20experience%3C%2FA%3E%20is%20worth%20looking%20at%20too%2C%20that%20has%20its%20own%20way%20of%20configuring%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fconcept-authentication-methods%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eauthentication%20methods%3C%2FA%3E%2C%20as%20well%20as%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-mfasettings%23mfa-service-settings%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20Conditional%20Access%20you%20can%20target%20desktop%20applications%20and%20enforce%20Azure%20MFA%20with%20a%20set%20criteria%20for%20example%20to%20Windows%20or%20macOS%20devices%20with%20desktop%20clients.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20some%20of%20that%20helps!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1202637%22%20slang%3D%22en-US%22%3ERe%3A%20Looking%20for%20specific%20instructions%20for%20enabling%20and%20configuring%20MFA%20for%20Ofice%20365%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1202637%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2395%22%20target%3D%22_blank%22%3E%40Cian%20Allner%3C%2FA%3E!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20I%20recall%20that%20there's%20an%20MFA%20method%20within%20Office%20365%20that%20asks%20the%20client%20app%20to%20match%20the%20number%20shown%20on%20screen%2C%20with%20one%20of%20the%20three%20options%20that%20show%20up%20on%20their%20MFA%20mobile%20device%2C%20rather%20than%20entering%20a%20six%20digit%20code%20generated%20from%20the%20Microsoft%20Authenticator%20app.%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EDo%20you%20know%20what%20the%20specifics%20are%20for%20setting%20up%20that%20push%20method%20of%20multi-factor%20authentication%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1204703%22%20slang%3D%22en-US%22%3ERe%3A%20Looking%20for%20specific%20instructions%20for%20enabling%20and%20configuring%20MFA%20for%20Ofice%20365%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1204703%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F86092%22%20target%3D%22_blank%22%3E%40Robert%20Gordon%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3E%3CP%3EThanks%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2395%22%20target%3D%22_blank%22%3E%40Cian%20Allner%3C%2FA%3E!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20I%20recall%20that%20there's%20an%20MFA%20method%20within%20Office%20365%20that%20asks%20the%20client%20app%20to%20match%20the%20number%20shown%20on%20screen%2C%20with%20one%20of%20the%20three%20options%20that%20show%20up%20on%20their%20MFA%20mobile%20device%2C%20rather%20than%20entering%20a%20six%20digit%20code%20generated%20from%20the%20Microsoft%20Authenticator%20app.%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-authentication-passwordless-phone%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EPasswordless%20sign-in%3C%2FA%3E%20has%20that%20option%20(preview)%2C%20it%20requires%20Azure%20MFA%20with%20push%20%3CSPAN%3Enotifications%26nbsp%3Benabled%20plus%20some%20other%20configuration%20as%20mentioned%20in%20the%20link.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22phone-sign-in-microsoft-authenticator-app%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F174593i1218529D5C7DF464%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22phone-sign-in-microsoft-authenticator-app%22%20alt%3D%22phone-sign-in-microsoft-authenticator-app%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

I would like to enable MFA for my Microsoft 365 clients but have a few questions about how to do this.

1. When enabling MFA, how to do enable multiple methods for MFA (i.e. hardware key, biometric, text to mobile, Microsoft Authentication, etc.)?

2. What is the method of MFA called, when a user must match a two digit number shown on screen, with one of three options shown on their mobile device?

3. Is there a way to also implement MFA with Microsoft desktop applications such as Outlook, Teams, OneDrive, etc. so that the user must confirm an MFA method when launching the apps from their Windows 10 laptop/desktop, even if they have already had to use MFA to get past the Windows 10 login screen?

3 Replies
Highlighted

The two primary ways of enforcing Azure MFA (there is another way too, Security Defaults), this may depend on what licensing is available, either enabling it per user or using Conditional Access, this link talks about the two options and and how to enable per-user Azure MFA, which is the more basic approach -

 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

 

And more specifics

 

https://docs.microsoft.com/en-gb/microsoft-365/admin/security-and-compliance/set-up-multi-factor-aut... 

 

This explains the licensing differences and requirements  https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing 

 

The best and most granular experience is using Conditional Access, which Microsoft recommend but that requires Azure AD Premium and also the combined registration experience is worth looking at too, that has its own way of configuring authentication methods, as well as here.

 

With Conditional Access you can target desktop applications and enforce Azure MFA with a set criteria for example to Windows or macOS devices with desktop clients.

 

Hope some of that helps!

Highlighted

Thanks, @Cian Allner!

 

Also, I recall that there's an MFA method within Office 365 that asks the client app to match the number shown on screen, with one of the three options that show up on their MFA mobile device, rather than entering a six digit code generated from the Microsoft Authenticator app.    


Do you know what the specifics are for setting up that push method of multi-factor authentication?

Highlighted

@OneTechBeyond wrote:

Thanks, @Cian Allner!

 

Also, I recall that there's an MFA method within Office 365 that asks the client app to match the number shown on screen, with one of the three options that show up on their MFA mobile device, rather than entering a six digit code generated from the Microsoft Authenticator app.    

Passwordless sign-in has that option (preview), it requires Azure MFA with push notifications enabled plus some other configuration as mentioned in the link.

 

phone-sign-in-microsoft-authenticator-app