Multi-Factor Authentication in Office 365 and the Enterprise Mobility + Security Suite
Microsoft reported in their breach investigation report that over 75% of network intrusions originated from exploited weak or stolen credentials. So, how can companies protect against threats from hackers who are trying to access their data?
Microsoft’s Multi-Factor Authentication (MFA) helps stop hackers through a process of authentication. It requires the use of more than one verification method and adds a second layer of security to user sign-ins and identity transactions. With MFA in place,hackers do not have access to the second-factordevice to login. The additional verification methods can include SMS text verification, mobile app approval or a phone call (with or without a pin). The end user experience can be improved by not promptinga second factor when they are on a trusted network or using a domain joined PC.
Just as user identity theft continually evolves through the latest types of attacks, MFA continuously improves user security and meets stronger security policies, which are required today. Microsoft provides two levels of their MFA services to meet the demands of clients with Multi-FactorAuthentication in Office 365 and an enhanced version in the Enterprise Mobility + Security Suite (EMS).
Office 365 includes Multi-Factor Authentication to help provide extra security for securing Office 365 resources and is managed from the Office 365 admin center. This MFA offers basic features including the ability to enable and enforce multi-factor authentication for end users along with the use of a mobile app or phone call as a second form of authentication. This form of MFA is included with the Office 365 E3 Suite or is free for all Office 365 Admins, but doesn’t include the full feature set compared to the EMS bundle.
For instance, Office 365 MFA is an ‘all or nothing’ setup where every authentication requires MFA except for logins from Trusted IPs defined by the customer. Many applications use legacy protocols that are unable to handle MFA, such as ActiveSync or an Outlook 2010 client. In these scenarios, MFA is bypassed by using an Application Password. This password is randomly generated and will be different from the user’s normal credentials. This can be painful for end users to manage.
What’s the Difference?
Both services offer the same basic protection plan using a mobile device as a second form of identification which increases user identity protection. Where the difference lies is with EMS/Azure, as it offersmore functions that can be customized and offers advanced controls like conditional access, One-Time Bypass, and User Blocking.
MFA Windows Azure Only Features:
On-premises Integrations - Want to use Azure MFA with other things like VPN, Citrix, andTerminal Services? This can be achieved using RADIUS/LDAP with an on-premises server or NPS. MFA works with those services to keep user data secure on-premiseswhile performing authentications through the MFA cloud service.
Customizable Voice Greetings - Users will hear custom greetings instead of the default Microsoft greetings when they answer authentication phone calls.
Customizable Caller ID - This feature offers the ability for employees to receive authentication phone calls from a main company phone number that shows up on caller ID instead of the default Microsoft number.
Fraud Alert - This security feature enables the immediate notification of users when they receive a multi-factor authentication request via phone or email any time of the day the attempt takes place. This feature also allows users to enter a configured fraud alert code to report unauthorized attempted access which sends an alert email to their IT administrator to take appropriate actions. Once the fraud code is entered then the user account is immediately blocked, thus further securing against a breach.
Reporting/Auditing - Curious about the total number of authentications or how each account was authenticated? The MFA reporting tools provide insight into anything MFA related from the ability to track user access and denials, which can be key to weeding out threating attacks to reporting on the activityof suspicious account actions.
One-Time Bypass - Need access to the network or a file and can’t find your phone? Then it sounds like a need for a “One-Time Bypass.” The bypass lasts for a period of time (5 minutes by default) which can be configured to suit different organizational needs, where the user can get into an MFA-protected application one time without performing multi-factor authentication.
Why use Multi-Factor Authentication:
When the “basic” version of MFA that comes with Office 365 Enterprise plans is enabled, it is an ‘all or nothing’ setup. This means that every authentication will require MFA except logins from trusted IPs defined by the customer. Ideally,users only have a single set of corporate credentials to worry about. The client will have to use a different app password for every client that can’t handle modern authentication. In these scenarios, MFA is bypassed by using an Application Password. The app password is allowed through without MFA, the most common ones being ActiveSync or an Outlook 2010 client. On mobile devices, every end user must authenticate with a different password that is randomly generated for them, which turns into an ugly process for the end users. It ends up being a pain to manage, which is why Interlink recommends Azure AD Premium for MFA to allow conditional access and to extend it to on-premises resources. All Azure AD Administrators can be protected with MFA at no additional cost as well.
Interlink Cloud Advisors is a big believer in securing data with reliable and robust solutions. Multi-Factor Authentication for Office 365 and Enterprise Mobility + Security from Microsoft provide an extra layer of reliable protection when defending against identity compromising attacks.
Want to learn how to add this protection to your organization?
Contact Interlink today to speak with our Microsoft Certified Security experts.