Apr 22 2020

How to Enable Multifactor Authentication in Microsoft Office 365

Here’s how healthcare organizations can set up multifactor authentication in Microsoft Office 365 to verify user identities and remain HIPAA compliant.

Multifactor authentication (or MFA), a security practice that requires two or more credentials to verify a user’s identity, is critical for protecting healthcare systems and data — and it’s an effective way to satisfy HIPAA password requirements. Here’s how to set up MFA in Microsoft Office 365, which offers a number of features for clinicians.

1. Enable MFA for All Users

First, navigate to the Office 365 admin center. Select Users ➔ Active Users and click on Multi-Factor Authentication. Enable MFA for all users by clicking Bulk Update. To turn on MFA with the minimum configuration needed, click on Enable under Quick Steps. On the pop-up window, click on Enable Multi-Factor Authentication. All active users will be required to use MFA the next time they sign in.

2. Review and Modify Your Verification Settings

Default settings are an excellent starting point for MFA, but it’s wise to understand all options. Some authentication methods are more secure than others, and it may be advisable to enable only those that improve the security posture. Under MFA settings, click on Service Settings to modify verification settings. With the increasing prevalence of SIM swap exploits, disabling the SMS verification method may increase security.

3. Decrease the Cached Token Time

Office 365 allows users to remember their devices for a certain number of days upon sign-in. Under MFA settings, click on Service Settings to modify the number of days. Nonweb applications use hourly refresh tokens. Every time a nonweb token is used, it is checked against the previously set number of days. These apps normally check every 90 days. By decreasing this number, the security of all logons is increased.

READ MORE: Learn how strong password policies can combat­ ­evolving threat actors.

4. Inspect the MFA Reports on a Regular Basis

To address any problems, an administrator must verify MFA history. The Microsoft Azure portal offers reports for administrators to see how and when MFA is used. Locate the reports in the Azure portal and Azure Active Directory. Key information is contained in the sign-ins activity report. This allows an administrator to understand when MFA is challenged, what methods are used and any other issues that may occur.

Zephyr18/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.