Step 5: Set up multi-factor authentication
This step is optional and applies to both the E3 and E5 versions of Microsoft 365 Enterprise
In this step, you'll set up multi-factor authentication (MFA) to add a second layer of security to user sign-ins and transactions. MFA requires an additional verification method after users have correctly entered their password. Without MFA, the password is the only verification method. The problem with passwords is that many of them are easily guessed by an attacker or unknowingly shared with untrusted parties.
With MFA, the second layer of security can be:
- A personal and trusted device that isn’t easily spoofed or duplicated, such as a smart phone.
- A biometric attribute, such as a fingerprint.
You'll enable MFA and configure the secondary authentication method on a per-user account basis. Make sure to let users know that MFA is being enabled so they understand the requirements, such as mandatory use of a smart phone to sign in, and can sign in successfully.
For more information, see Plan for multi-factor authentication for Office 365 Deployments.
To configure multifactor authentication, Set up multi-factor authentication for Office 365 users.
You can require MFA with conditional access policies. For example, you can configure a policy that requires MFA when the authentication is determined to be of medium or high risk. For more information, see Common identity and device access policies.
In some applications, such as Microsoft Office 2010 or older and Apple Mail, you can’t use MFA. To use these apps, you’ll need to use “app passwords” in place of your traditional password. The app password allows the app to bypass MFA and continue working. To learn more about app passwords, see Create an app password for Office 365.
|Test Lab Guide: Multi-factor authentication|
As an interim checkpoint, you can see the exit criteria for this step.
|Protect against credential compromise|