Office365 MFA

Office 365 Multi-Factor Authentication

Multi-factor authentication (MFA) is commonly used to prevent a stranger from logging in, with or without a password. MFA improves the security of user logins.

With Office 365 MFA, users are required to allow a phone call, a text message, or enter an app-generated number on their smartphone after correctly entering their username and password. Only after this additional authentication factor has been verified the user can sign in.

Security Is Key

Using passwords alone is risky. If a single password is cracked, cyber criminals could have their way in your system, and you would probably not be alerted to their access. Enabling MFA for an Office 365 user ensures that if access occurs from an unusual location, from another device, or another Office client, etc. the user will be blocked until he/she provides additional verification.

Many users still have weak passwords, and it becomes difficult for management to mandate strong password management. By implementing Office365 MFA, it provides a layer of security to protect sensitive information.

NOTE: Based on studies conducted by Microsoft, an account is more than 99.9% less likely to be compromised if MFA is enabled.

Compliance Requirements

To date, the use of MFA to protect systems is not mandatory for every industry.

However, The Payment Card Industry Data Security Standard (PCI DSS) requires companies to use multi-factor authentication (MFA) to protect against breaches that could compromise payment card data.

Two-Factor Authentication (2FA) is a needed measure to comply with password restrictions in sectors such as finance, healthcare, defense, law enforcement, and government, among others. Let’s take a few examples:

The Healthcare Industry

The Health Insurance Portability and Accountability Act (HIPAA) does require organizations to confirm that users looking for access to electronic protected health information (ePHI) have the necessary authorization. Two-factor authentication addresses this HIPAA requirement, and multi-factor authentication takes it to the next level.

The Finance Industry

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act includes The Safeguards Rule which is a directive designed to secure customer data with specific provisions to ensure that data is not accessed under false claims. Risk assessment and risk mitigation are integral to compliance with the Safeguards Rule.

An identity and access management (IAM) solution can proactively address provisions in The Safeguards Rule and improve GLBA compliance through role-based management, entitlement management (limits permissions and only access what is needed), and multi-factor authentication.

The Unites States Government

For several years, 2FA has been a requirement for accessing government websites. This action plan has also instructed the National Cyber Security Alliance (NCSA), a non-profit, public-private partnership, to partner with leading technology companies such as Google and Microsoft to promote the use of 2FA.

These public-private partnerships instituted by the US Government prove that MFA is a handy solution for mitigating security risks inherent to systems that use single password authentication protocols.

Microsoft Authenticator

Authenticator is Microsoft’s two-factor authentication app. Launched around four years ago the app simplifies the multi-factor authentication process. Basically, you log into an account and after entering the username and password you are asked to provide a code to ensure MFA.

The Authenticator generates a six-digit code every 30 seconds that you must enter to finalize the login process into your app or service.

It is extremely useful for quick sign-ins, it works cross-platform, and it is faster than email or SMS codes.

O365 Re-Authentication

When MFA is enabled, there are certain situations when O365 users must re-authenticate:

  • In case of password change;
  • In case the user signs in and out in Office clients;
  • In case users swap between Office 365 accounts;
  • In case administrators apply conditional policies to restrict the resource the user is trying to access.

MFA Can Combat Phishing Attacks

How? Basically, by making it harder for hackers to get into your system. With multi-factor authentication enabled, cyber criminals need to have initial access to even more information in order to perform a successful login (sometimes access to the victim’s phone, so not just the username and password).


MFA is a needed enhancement as more people use the entire Office 365 suite and save sensitive data in OneDrive and/or SharePoint. Protecting your data is crucial, and it seems that MFA’s importance and applicability will only grow over time.