Feb 28 2020
06:23 AM
- last edited on
Feb 01 2023
11:03 AM
by
TechCommunityAP
Feb 28 2020
06:23 AM
- last edited on
Feb 01 2023
11:03 AM
by
TechCommunityAP
I would like to enable MFA for my Microsoft 365 clients but have a few questions about how to do this.
1. When enabling MFA, how to do enable multiple methods for MFA (i.e. hardware key, biometric, text to mobile, Microsoft Authentication, etc.)?
2. What is the method of MFA called, when a user must match a two digit number shown on screen, with one of three options shown on their mobile device?
3. Is there a way to also implement MFA with Microsoft desktop applications such as Outlook, Teams, OneDrive, etc. so that the user must confirm an MFA method when launching the apps from their Windows 10 laptop/desktop, even if they have already had to use MFA to get past the Windows 10 login screen?
Feb 28 2020 07:56 AM
The two primary ways of enforcing Azure MFA (there is another way too, Security Defaults), this may depend on what licensing is available, either enabling it per user or using Conditional Access, this link talks about the two options and and how to enable per-user Azure MFA, which is the more basic approach -
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
And more specifics
This explains the licensing differences and requirements https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-licensing
The best and most granular experience is using Conditional Access, which Microsoft recommend but that requires Azure AD Premium and also the combined registration experience is worth looking at too, that has its own way of configuring authentication methods, as well as here.
With Conditional Access you can target desktop applications and enforce Azure MFA with a set criteria for example to Windows or macOS devices with desktop clients.
Hope some of that helps!
Feb 29 2020 12:20 PM
Thanks, @Cian Allner!
Also, I recall that there's an MFA method within Office 365 that asks the client app to match the number shown on screen, with one of the three options that show up on their MFA mobile device, rather than entering a six digit code generated from the Microsoft Authenticator app.
Do you know what the specifics are for setting up that push method of multi-factor authentication?
Mar 02 2020 07:42 AM
@OneTechBeyond wrote:Thanks, @Cian Allner!
Also, I recall that there's an MFA method within Office 365 that asks the client app to match the number shown on screen, with one of the three options that show up on their MFA mobile device, rather than entering a six digit code generated from the Microsoft Authenticator app.
Passwordless sign-in has that option (preview), it requires Azure MFA with push notifications enabled plus some other configuration as mentioned in the link.