Using Risk-based Multi-Factor Authentication in Microsoft 365

One of the best Security protections that can be used with accounts, is Multi-Factor Authentication. However, the problem arises trying to get the balance between Security and User Experience. You know what I mean, when you look around the company you probably work, there are those that are tech savvy and those that are not. Just think of the personal tech support you do for family members, specifically grandparents, and you know what I mean.

Implementing Multi-Factor, no matter which option you choose, requires an extra token or code of some description to allow a user to fully authenticate. In recent years the most common has been either an SMS message containing a code, or use of an authenticator app. Though these may seem trivial to most, it does present a barrier to some users and companies. The first one comes down to the Bring Your Own Device (BYOD), especially if the phones are not used for company phone calls, this now means you, must register this number within the Multi-Factor solution. It is amazing how many people don’t like that idea. Even saying they must download an application to their personal device can be challenging.

So, what is the purpose that we are implementing Multi-Factor Authentication?

The main top 5 reason for implementing this are:

Protect your account

Adding Multi-Factor to your account is one of the most important security steps that you can take. Ensuring that someone cannot gain access to your account is critical because accounts can be reset from services such as email. If your account has been compromised, any downstream user accounts elsewhere can be compromised. Protecting your account, in turn protects your email is at the center of your digital identity.

Protect your devices

Devices have data and credentials stored on them. If stolen, a hacker could easily log into the services that you frequently use. A password manager will leave you largely unprotected if your device is stolen. If the hacker is forced to use Multi-Factor then you can dramatically increase your chances of protection even when your device has been stolen. Now of course the issue here is that the phone is the Multi-Factor device too, however with you owning the settings for Multi-Factor (i.e. Where to send the Multi-Factor token), you can quickly ensure that the device is no longer authorized.

Take control and own the Security

Relying on third parties to protect your accounts means that you are not taking an active role in your online security. If they are breached and you have two-factor authentication on as many of your accounts as possible, it will protect your digital assets.

Decrease reliance on Passwords

Even having strong passwords, which you should do, is sometimes not enough to protect your accounts. By forcing the second factor, you aren’t just relying on passwords. Some sites don’t offer two-factor authentication. Where possible try to leverage third-party user portals that can add multi-factor authentication into your login process.

Protect against cascading failures

Too many of use reuse passwords, across services which widens the potential attack surface if one of those accounts are compromised. Attaching Multi-Factor Authentication to as many devices and services as possible will limit your overall exposure. If a compromised account is reused in places where MFA is required, the hacker cannot attack other accounts.

As you know I spend a lot of time working within the Microsoft 365 Cloud (Office 365 and Azure), and as such Microsoft has done a great job of providing services that can help here. Firstly, of course Azure Multi-Factor Authentication is bolted into all its services. This can be enabled easily within your Microsoft 365 Tenant.

Access the users within the Microsoft 365 Admin console, select the user and choose the Multi-Factor option.

Simply click the Enable button at that point, which will prompt you to enable the Multi-Factor Authentication. You can then follow the steps as needed.

Once this is completed the end user will then need to go through a registration process to allow the account access. Though this is great and I highly recommend it, what we are really after is the ability to force Multi-Factor Authentication in the event of a Security Incident.

This however is not part of the Office 365 Multi-Factor Authentication, it comes as part of the Azure Active Directory Premium 2 SKU.

Once you have this you can navigate to the Azure portal for your tenant:, then click All Services, and find the Azure AD Identity Protection option.

When it is loaded, select the Sign-in risk policy option.

Azure Active Directory uses adaptive machine learning algorithms and heuristics to detect suspicious actions that are related to your user’s identities. The system creates a record for each detected suspicious action, allowing reporting and then assigning of policies to control the risky sign-ins.

A sign-in policy can be assigned to specific or all users, utilize conditions for the policy, then actions that can be taken.

For this I am setting it to a single account, with the condition set to Medium or Above.

Next, we set the controls to be enforced, for this account, we will use Require multi-factor authentication only. Depending on licenses and features, you will be able to choose the other options too.

Once you have set the options then you can select the Enforce Policy option and save. From this point forward, you are being protected. Trying to access my account, within the Tor Browser, with the following settings, raises the suspicious activity flag.

This will then prompt the account for Multi-Factor Authentication such as sending an SMS message with a code.

Entering the code, will then allow the account to access the system. As you can see it is very easy to enable protections. In fact, you can go one step further and completely block unusual sign-ins too by using policies.

Now go and setup polices and control the authentication flow more than you do now.

Liam Cleary

I work as an Associate Director for Protiviti in Virginia. My main focus is to ensure that SharePoint can either natively or with minimal customization meet the business requirement securely. I am currently a SharePoint MVP focused on Architecture but also cross the boundary into Development and Security. I am often found at user groups, conferences speaking, offering advice, spending time in the community, teaching my kids how to code, raspberry PI programming, hacking the planet and sometimes building Lego robots.

You may also like...