Header image overlay

Guide: Secure your Office 365 environment with Multi-factor Authentication

Working from anywhere is a must, but how do you know that someone who signs up is actually your colleague, not someone who has stolen his password?

Today, employees must be able to work anywhere, anytime. That is possible within Office 365 , but a login is quickly stolen. 42% of millenials, passed his or her password on to non-family members; in fact, 74% logs on to unsecured wifi hotspots without a care in the world.

Whichever way you look at it, you'd better assume that sooner or later the Office 365 login of one of your employees ends up in the wrong hands. 

What can you do about it?

Multi-factor authentication (MFA)also known as ‘two-stage authentication’ requires an extra code in addition to your password that only you can know, not the name of your first love or turtle, but a unique code that is only valid for 30 seconds and can only be seen on your smartphone. A criminal who owns your username and password is so powerless because he has no access to your smartphone.

It is therefore recommended that 100% activate this within Office 365 for all of your colleagues:

  • It should not irritate or inhibit (trusted) users in their productivity;
  • Are the smartphones secure enough? Otherwise, you can still access your data via a targeted robbery/intrusion;
  • In some organisations you are not allowed to use your smartphone;
  • What if an employee doesn't have his smartphone at hand or the battery is empty?
  • If you ask for an extra code too often, this can negate the alertness of users;

Getting Started with Multifactor Authentication within Office 365


Measuring is knowing: Who, when, where and on which device?

First map out which users are working in the Office 365 environment. This shouldn't be a big task thanks to tools like Active Directory. Then zoom in: what rights do they have and which devices do they use to access the business environment?

You can then look at the business applications and data. It is advisable to secure everything with MFA, but to avoid irritation you can consider leaving non-sensitive or non-business critical data and apps on the standard security.

Based on the above knowledge, you can then draw up security policies.

When do you want to enforce MFA?

There is no point in asking users within the perimeters of the company, on their own PC, for extra codes every now and then. This can be counterproductive; if it becomes an (irritating) automatism, outsiders can take advantage of this. Once a day is usually sufficient.

So you have to think a bit like a “Cloud Access Security Broker (CASB)” Is the location okay? Is the device okay? Is the time okay? Is the network secure?#8230; Then you can be milder than if the same account tries to log in from a public hotspot at 4.00 am ’night from Vietnam.

Start with a pilot project

If you have a few communicative employees who are interested in IT, they are the ideal candidates to test the system with. These ‘Key Users’ can give you valuable critical feedback, so that you can refine the policies where necessary. To gather feedback and to conduct the discussion centrally, it is best to use Microsoft Teams. Keep your eyes open for frequently asked questions, these will come in handy in the next phase.

How do you protect your company?
Prevent hacks, malware, cryptolockers and viruses in your company by deploying the right solutions. Discover your ideal security strategy here!

Ready for the big rollout

On the one hand you can count on the aforementioned ‘Key users’ who can help your colleagues in setting up the two-stage authentication, but it is very important that you write a manual with clear screenshots, supplemented with a FAQ/V&A addendum. This can save your IT staff many hours of explanation. You will also be sure to get questions like ‘What if I buy a new smartphone ‘What if I buy a new smartphone &1TP?

Personally I think it is even stronger to make a short video tutorial. This doesn't have to be a hollywood production as it's for internal use only, but moving image is a bit clearer. The only disadvantage is that if the procedure ever changes, you will have to make a new video…

Additional Tip

Use the Authenticator App instead of SMS. Not only is it more practical, an SMS is relatively easier to intercept.

In the signature of emails or on business cards often GSM numbers are communicated. There are already many cases known of fraudsters who approach telephony providers with the excuse ‘ My smartphone is stolen or my SIM card is faulty… I would like to activate a new SIM card for this number…” And then you're a bird for the cat. But there are still benefits:

  • This also works when your smartphone has poor range.
  • It works faster because sometimes an SMS arrives with a delay.
  • It also works on wearables

If you have any questions about the roll-out of MFA within Office 365; do not hesitate to contact our colleagues. contact us.

Tip: use the Authenticator App instead of SMS. Not only is it more practical; an SMS is relatively easier to intercept.”

Written by:

Matthias Sanne
Marketing & design @ VanRoey

Has been working as a marketer, designer, webmaster, copywriter, PowerPoint guru and numerous other things for 15 years. He gets his energy from simplifying complex matters. He tries to do the same in his Techblog PowrUsr.com where he brings handy solutions to challenging problems.

What will the future bring? Get an exclusive tour & plenty of inspiring sessions at the revamped Living Tomorrow. It promises to be another great and educational year-end event! See you there?

Attention: limited number of places!