SOLVED

Question regarding 2FA with 365 accounts

%3CLINGO-SUB%20id%3D%22lingo-sub-821344%22%20slang%3D%22en-US%22%3EQuestion%20regarding%202FA%20with%20365%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-821344%22%20slang%3D%22en-US%22%3E%3CP%3EI%20enabled%20it%20for%20three%20users%20yesterday%20but%20had%20to%20turn%20it%20off%20shortly%20after%20as%20they%20all%20had%20iPhones%20and%20it%20kept%20prompting%20for%20app%20passwords%20which%20were%20trying%20to%20avoid%20using.%20I%20read%20that%20Apple%20devices%20using%20version%2011%20or%20higher%20support%20modern%20authentication%20but%20the%20catch%20is%20you%20need%20to%20remove%20the%20Exchange%20account%20then%20add%20it%20back%20in%20after%202FA%20is%20enabled%20so%20I%E2%80%99m%20going%20to%20try%20that%20Monday.%26nbsp%3B%20I%20know%20we%20can%20use%20the%20Outlook%20app%20but%20they%20don%E2%80%99t%20want%20to%20use%20that%20unless%20they%20have%20to.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENext%2C%20originally%20I%20had%20those%20initial%20three%20users%20set%20up%20to%20use%20the%20Microsoft%20Authenticator%20with%20the%20prompt%20as%20the%20second%20authentication%20method%20but%20after%20thinking%20about%20that%20I%20think%20maybe%20the%20PIN%20code%20would%20be%20a%20better%20idea%20as%20I%20feel%20like%20my%20users%20would%20get%20used%20to%20seeing%20the%20prompt%20and%20just%20hit%20approve%20every%20time%20they%20see%20it.%20In%20the%20sense%2C%20does%20the%20PIN%20code%20seem%20more%20secure%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-821344%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-821487%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20regarding%202FA%20with%20365%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-821487%22%20slang%3D%22en-US%22%3E%3CP%3EBy%20PIN%20code%20do%20you%20mean%20the%20code%20displayed%20inside%20the%20Authenticator%20app%3F%20The%20general%20guidance%20is%20to%20use%20the%20least%20disruptive%20method%20applicable%2C%20and%20nowadays%20you%20can%20also%20configure%20passwordless%20auth%20which%20prompts%20them%20to%20select%20one%20of%20three%20numbers%2C%20so%20they%20cannot%20just%20hit%20approve.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-821829%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20regarding%202FA%20with%20365%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-821829%22%20slang%3D%22en-US%22%3EPasswordless%20is%20kind%20of%20inconsistent%20but%20the%20code%20will%20be%20the%20backup.%20But%20I%20think%20the%20approve%20method%20is%20not%20secure%20at%20all%20and%20you%20are%20correct%20that%20users%20will%20blindly%20hit%20approve.%20Seen%20it%20happen%20before.%20%3CBR%20%2F%3E%3CBR%20%2F%3EPin%20or%20passwordless%20is%20only%20way%20I%E2%80%99d%20go.%20%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20are%20correct%20about%20iPhone%20profiles%20thou.%20They%20do%20need%20reconnected%20usually%20when%20MFA%20is%20on.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-822058%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20regarding%202FA%20with%20365%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822058%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BPin%20code%20from%20the%20authenticator%20app%20or%20via%20txt.%20Either%20one.%20My%20concern%20is%20that%20let's%20say%20someone%20is%20trying%20to%20phish%20one%20of%20my%20users.%20Assume%20they%20already%20have%20the%20password%20to%20the%20email%20account.%20They%20attempt%20to%20login%20as%20one%20of%20my%20users%2C%20my%20user%20gets%20a%20prompt%20to%20approve%20or%20disapprove%20on%20their%20mobile%20device.%20Since%20they%20will%20see%20that%20from%20time%20to%20time%20by%20design%20over%20a%20period%20of%2090%20days%20I'm%20worried%20that%20they%20will%20just%20approve%20it%20every%20time%20whereas%20if%20they%20were%20using%20the%20txt%20code%20or%20PIN%20from%20the%20app%2C%20they%20can't%20simply%20just%20approve%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-822059%22%20slang%3D%22en-US%22%3ERe%3A%20Question%20regarding%202FA%20with%20365%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822059%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F869%22%20target%3D%22_blank%22%3E%40Chris%20Webb%3C%2FA%3E%26nbsp%3BThanks%2C%20that's%20what%20I%20was%20thinking.%20Just%20wanted%20to%20see%20if%20anyone%20else%20has%20that%20same%20opinion.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

I enabled it for three users yesterday but had to turn it off shortly after as they all had iPhones and it kept prompting for app passwords which were trying to avoid using. I read that Apple devices using version 11 or higher support modern authentication but the catch is you need to remove the Exchange account then add it back in after 2FA is enabled so I’m going to try that Monday.  I know we can use the Outlook app but they don’t want to use that unless they have to.

 

Next, originally I had those initial three users set up to use the Microsoft Authenticator with the prompt as the second authentication method but after thinking about that I think maybe the PIN code would be a better idea as I feel like my users would get used to seeing the prompt and just hit approve every time they see it. In the sense, does the PIN code seem more secure?

4 Replies
Highlighted

By PIN code do you mean the code displayed inside the Authenticator app? The general guidance is to use the least disruptive method applicable, and nowadays you can also configure passwordless auth which prompts them to select one of three numbers, so they cannot just hit approve.

Highlighted
Solution
Passwordless is kind of inconsistent but the code will be the backup. But I think the approve method is not secure at all and you are correct that users will blindly hit approve. Seen it happen before.

Pin or passwordless is only way I’d go.

You are correct about iPhone profiles thou. They do need reconnected usually when MFA is on.
Highlighted

@Vasil Michev Pin code from the authenticator app or via txt. Either one. My concern is that let's say someone is trying to phish one of my users. Assume they already have the password to the email account. They attempt to login as one of my users, my user gets a prompt to approve or disapprove on their mobile device. Since they will see that from time to time by design over a period of 90 days I'm worried that they will just approve it every time whereas if they were using the txt code or PIN from the app, they can't simply just approve it.

Highlighted

@Chris Webb Thanks, that's what I was thinking. Just wanted to see if anyone else has that same opinion.