Office 365 App Passwords and Multi-Factor Authentication: Complete Overview
The number of social engineering attempts and phishing attacks has been on the rise for years. Moreover, cybercriminals have been quick to take advantage of any newly discovered software vulnerabilities. One simple way to minimize the risks of a breach and to strengthen access security is using multi-factor authentication (sometimes called two-factor authentication) for logins in addition to a username and a password.
In Microsoft Office 365 environments, multi-factor authentication is supported. It allows you to implement stronger access requirements in accordance with your organization’s security policy. Discover more about multi-factor authentication and how to use it in Office 365 applications.
What is Office 365 App Password?
Office 365 App Password is a special code that allows you to access your Office 365 account and Office 365 applications. It is related to Azure multi-factor authentication configuration. You should separately generate app-specific passwords for each device that you use to access Office 365 applications, but the same Office 365 app password can be used on the same device.
Office 365 app password is the alternative to multi-factor authentication for applications that cannot natively support MFA and for non-browser applications.
Create an App Password for Office 365
- Click your avatar or user icon in the right top corner and then click the My account option.
- In the Security & privacy menu find the Additional security verification option. Click Create and manage app passwords.
- To make this option available, sign in to the Azure portal and check the Multi-factor authentication settings page.
- Select the Allow users to create app passwords radio button.
- In the account options, select App password and click Create to create Office 365 app password.
- Enter the name for Office 365 app password, for example, Outlook365. Copy the generated password to the clipboard and save it in a safe place or write down the Office 365 password manually.
- After you generate app-specific passwords, you can apply them to Office 365 applications such as Outlook to log in.
What Is Multi-Factor Authentication?
Multi-factor authentication (MFA) is a method to confirm the identity of a user by requiring multiple credentials before authorization and before providing access to a website, application or other resources.
Two-factor authentication involves 2 steps:
- The user has to enter information that only they know.
- The use has to confirm their identity by providing additional information that can only be accessed by them, for example, a confirmation call, SMS code, USB key, fingerprint, face image, etc.
Generally, the types of information used by MFA can be classified into three types:
- Knowledge – something you know (a password, pin code, etc.)
- Possession – something you have (a cell phone, USB key, smart card, token, etc.)
- Inheritance – something you are (biometric data such as fingerprint, your eye, your face, etc.)
With MFA used, a system can ensure that the real user is entering the username and password and not a malicious actor who has compromised the user’s account by stealing the username and password. MFA is highly recommended for internet banking. However, if the information in your Office 365 documents and your Office 365 email account is very important to you, you can also configure MFA for Office 365.
Sometimes two-factor authentication, which is a subset of multi-factor authentication, and two-step verification are mixed up (and cause confusion). Although both are used for similar purposes to confirm the user’s identity, they differ in an essential way:
- Two-step verification relies on the user entering something that only they know, for example, a password with the additional step before being granted access involving an element of the same category (for example, two keys, two passwords, etc.). This type of verification always uses something only you know as the first step, and the combination of something you have and something you are is never used.
- Two-factor authentication requires two elements from different categories – for example, the user has to enter something they know and something they have.
Using multi-factor authentication and two-step authentication may be inconvenient. For example, you may forget to take your phone with you or you may lose your phone, making authentication more complicated.
Types of MFA for Office 365
Office 365 offers three main types of MFA:
- Authentication phone: SMS or call
- Office phone
- Mobile app: Receive notifications for verification or use verification code
How to Enable MFA for Your Office 365 Account
If you use Office 365 in your organization, MFA must be enabled for the organization or for separate users who need this option. After that, a user can set up the multifactor authentication for the Office 365 account.
- Go to the web page to authenticate in Office 365: https://login.microsoftonline.com.
- Log in as Administrator to Office 365.
- Go to Office 365 Admin Portal by selecting the Admin icon or by entering the web address in the address bar of your web browser manually: https://admin.microsoft.com/Adminportal/.
- In the left pane of Microsoft 365 admin center, click Active users. In the list that opens, select the account for which you want to configure two-factor authentication. In this example we will configure Office 365 MFA for Michael Bose.
- Let’s select Michael Bose. In the account options that open, click Manage multifactor authentication in the Account tab.
- In the new screen that opens, a list of Microsoft Office 365 accounts appears. The accounts are organized in a table with three columns: Display Name, User Name and Multi-Factor Auth Status. As you can see on the screenshot below, by default the MFA status is “Disabled” for all accounts. Let’s enable MFA for one user.
- Select the required account again (Michael Bose in this case), select the appropriate checkbox at the username, and click Enable.
- The About enabling multi-factor auth pop-up message is displayed:
If your users do not regularly sign in through the browser, you can send them to this link to register for multi-factor auth: https://aka.ms/MFASetup
- Copy and save this link. You will need to provide this link to users to finish configuring MFA for Office 365.
- A user for whom the admin has enabled MFA must log into Office 365 by using the web address https://login.microsoftonline.com.
Note that the step-by-step guide below describes the actions taken by the user, not by the admin who has configured MFA.
- Open the security verification page by using the link https://aka.ms/MFASetup (that you saved earlier).
- Provide the correct information in a few steps.
Step 1: How should we contact you?
In the drop-down menu you can select:
- Authentication phone
- Office phone
- Mobile app
Let’s select Authentication phone. You have to enter a valid cell phone number and select the second authentication method:
- Send me a code by text message
- Call me
If you select to send a code by text message (SMS) or by calling you, you may be charged according to your mobile operator rates. Let’s select the first option (Send me a code by text message). Hit Next.
Wait for a few seconds.
Step 2: We’ve sent a text message to your phone
- You will receive a verification code via SMS to your cell phone. Enter that code in the appropriate field as shown in the screenshot below. Click Verify.
- Wait for a while until verification is complete.
- If verification is successful, hit Done, and you will be redirected to the Office 365 login page. A verification code will now be sent to your cell phone via SMS.
- Enter that code in the appropriate field as shown on the screenshot. Hit Verify to sign in.
NOTE: If you selected the Call me option, usually you should answer the call and press the # sign.
Now Office 365 multi-factor authentication is configured and you can use it each time after entering your username and password. You are redirected to the page with additional security verification options where you can modify the settings. Don’t forget to take your phone and don’t lose your phone to be able to pass Office 365 authentication successfully.
Conclusion
Multi-factor authentication and Office 365 app passwords are additional security options for authentication. Multi-factor authentication improves security but takes additional steps to authenticate. Use MFA when you are not sure that using a username/password pair is enough for you in terms of security. You can generate Office 365 app passwords if for some reason you don’t trust the classic username/password authentication method and if native multi-factor authentication methods cannot be applied in your situation.
However, even if your security configuration is strict, having a backup is always a good idea. Consider using a dedicated Microsoft 365 backup software to protect your data and ensure point-in-time restores.
