Currently, 60% of the UK’s adult population are working from home due to the Coronavirus lockdown.
While working from home offers many benefits, the current situation is completely unprecedented, and many businesses are having to take extra steps to support their employees during these challenging times.
But how do you keep your business safe, during lockdown?
With more employees working on their personal smartphone, tablets, laptops and computers, there’s a huge risk that your staff may be accessing and storing sensitive corporate information on unsecured devices.
BYOD has always posed a huge security risk, but with the majority of UK adults now working from home that risk is higher than ever.
In this article, I’ll show you how to protect your business against 99.9% of password-based security breaches, and greatly reduce your susceptibility to a wide range of other attacks.
What does Multi-Factor Authentication have to offer my business?
In this tutorial, we’ll be exploring several ways that you can enable and enforce Multi-Factor Authentication (MFA) across your entire organization, even if your staff are already working remotely.
MFA is a security system where users must pass an additional security check before they can access any confidential data, applications or other sensitive resources. For example, your employee may be asked to enter a one-time PIN code that’s sent to their smartphone before logging into their Office 365 account.
With Microsoft recording over 300 million fraudulent sign-in attempts every single day, MFA can protect your organization against thousands of potential security breaches.
Speaking about the benefits of MFA, Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft, said: “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”
With your employees currently working from home, it may feel like you have little control over how they’re accessing your corporate data and applications, but in this article we’ll be sharing 3 ways that you can make MFA mandatory for your entire workforce, including remote workers.
If you’re eager to experience the benefits of cloud computing, then Microsoft have proven that they’re committed to continuously improving the security of their cloud-based products and services, and we believe there’s no better time to make the switch to Microsoft Office 365.
How to enable Security defaults in Azure Active Directory
Microsoft’s security defaults are a collection of security settings that are designed to protect your organization against all the most common attacks, including password spray, replay, and phishing scams.
Once you activate the security defaults, your employees will have 14 days to add MFA to their Office 365 accounts. If an employee doesn’t complete MFA registration by the 14 day deadline, then they’ll be locked out of their account until they enable Multi-Factor Authentication.
Microsoft’s security defaults also close a dangerous security loophole, by blocking legacy authentication methods. If your organization permits legacy authentication then an attacker could potentially bypass your MFA policies by using older protocols, for example a client that uses POP3 or IMAP. By blocking legacy authentication, the security defaults ensure that attackers cannot easily bypass your security policies by using older protocols or clients.
To check whether security defaults are enabled for your organization:
- Head over to the Azure Active Directory and sign into your admin account.
- In the left-hand menu, select “Properties.”
- Select “Manage Security defaults.’
In the panel that appears, find the “Enable Security defaults” slider. If this slider isn’t already in the “Yes” position then it means the security defaults aren’t currently enabled.
To enable Microsoft’s security defaults:
- Drag the slider into the “On” position.
- Click “Save.”
The security defaults are now enabled.
Passing Microsoft’s MFA checks
Now, your employees will be asked to enable MFA the next time they log into their Office 365 account.
Your employee can either verify their identity using a unique verification code that Microsoft sends via SMS, or they can use the dedicated Microsoft Authenticator app.
Let’s look at how your employees can enable MFA, using the Authenticator smartphone app.
Microsoft Authenticator for Android and iOS
Once you’ve setup the Authenticator app:
- In the Office 365 login screen, select “Use verification code.”
- Click “Set up,” and Office 365 will display a QR code.
- Launch the Microsoft Authenticator mobile application, and tap “Add account.”
- Specify that this is a work account.
- You’ll now be prompted to scan the QR code; hold your device’s camera up to the QR code, and wait for the Microsoft Authenticator app to perform a scan.
- After a few moments, your smartphone should display a six digit verification code, which you’ll need to access your Office 365 account.
- Switch back to your computer, and click “Next.”
- When prompted, enter your verification code and then click “Next.”
- Microsoft will now ask for a mobile number, just in case you lose access to the Microsoft Authenticator app. Enter your mobile number, and then click “Done.”
Now, every time you try to log into your Office 365 account, Microsoft will prompt you to launch the Authenticator app, generate a new verification code, and then enter this code into the Office 365 login screen.
Don’t want to use security defaults? How to enforce MFA manually
Alternatively, you can make MFA mandatory for all users, without enabling the security defaults:
- Log into the Microsoft 365 admin center.
- In the search bar, type “multi” and then select “Azure multi-factor authentication settings.”
- Choose “Manage multi-factor authentication.”
- Select all the accounts where you want to enable MFA.
- Towards the right side of the screen, select “Enable.”
- In the subsequent popup, select “Enable Multi-Factor Authentication.”
- Select all the accounts where you want to make MFA mandatory.
- Click the “Enforce” link.
- When prompted, select “Enforce Multi-Factor auth.”
All of your employees will now be required to setup MFA, in order to access their accounts.
Boost your security: Building a custom Conditional Access policy
Microsoft’s conditional access is designed to help you enforce security policies across your organization. A conditional access policy is usually an “if-then” statement, for example “if the user wants to access their Office 365 account, then they’ll need to complete X action.”
In this section, I’ll show you how to create a conditional access policy that requires all users to setup MFA, for all of their Office 365 applications.
Before we begin: Disable Microsoft’s security defaults
Our MFA conditional access policy will replace Microsoft’s security defaults, so if you want to use this policy then you’ll need to disable security defaults.
Before hitting that “off” button, you should carefully review all the security defaults, as you may need to setup some additional conditional access rules, or modify your security settings to ensure you get the same level of protection.
To disable Microsoft’s security defaults:
- Sign into your Azure Active Directory account.
- In the left-hand menu, select “Properties.”
- Select “Manage Security defaults.”
- In the subsequent panel, push the slider into the “Off” position, and then click “Save.”
Microsoft’s security defaults are now disabled for your organization.
Conditional access: Making MFA mandatory
Now we’re ready to create a custom conditional access policy:
- Log into your Azure Active Directory account.
- In the left-hand menu, select “Security.”
- Select “Conditional Access.”
- Give the “New policy” button a click.
- Give your policy a descriptive name.
- In the “Assignments” section, give “Users and groups” a click.
- To apply this policy to your entire organization, make sure the “Include” tab is selected and then choose “All users.”
- To prevent tenant-wide lockout, you need to ensure your admin can always log into their account. Select the “Exclude” tab and then specify the directory roles, or specific accounts that should be excluded from this policy, for example your emergency-access admin account, or “break glass” account.
- When you’re happy with your selection, click “Done.”
- Next, select “Cloud apps or actions.”
- In the panel that appears, make sure “Cloud apps” is selected.
- Select the “Include” tab.
- To apply this MFA policy to all of Office 365’s cloud-based apps, select “All cloud apps.”
- If there’s certain applications where you don’t want to enforce MFA, then select the “Exclude” tab, click “Select excluded cloud apps” and then choose those applications from the list.
- Click “Done” to close this panel.
- Back in the main Azure Active Directory console, select “Conditions.”
- You can now configure which clients your MFA policy should apply to, for example browser, mobile, or desktop applications. To start, click “Client Apps” and push the slider into the “Yes” position.
- Find “Select the client apps this policy will apply to,” and enable all the client applications where you want to enforce MFA. Unless you have a specific reason not to, you’ll typically want to enforce MFA across all client applications.
- Click “Done.”
- Next, find the “Access controls” section and click “Grant.”
- In the panel that appears, select “Grant access.”
- Select “Require multi-factor authentication.”
- Click “Select.”
- You’re now ready to activate your policy! Scroll to the “Enable policy” slider and push it into the “On” position.
- Click “Create.”
Your MFA conditional access policy is now active, and will be enforced across all your user accounts, Office 365 apps and client applications.
Want more remote working tips, techniques and advice?
We’ve published the following guides to help keep your employees safe, motivated and productive, during these challenging times:
Claim Your One Month FREE Trial of Microsoft 365 E5 Today.
Speak to a member of our team today 0114 292 2911 or email email@example.com if you need any assistance.
Share this article on social media
If you found this article useful, please share it on social media.
Subscribe to our blog…
We will only use your email to send you new blog posts.