Office 365 Multi-Factor Authentication

Office 365 MFA

• Set MFA to 'Enforced' as opposed to 'Enabled'
• Must use Microsoft Authenticator App - https://apps.apple.com/us/app/microsoft-authenticator/id983156458 - or - https://play.google.com/store/apps/details?id=com.azure.authenticator&hl=en_US&gl=US
• Document specific app password (used for iOS Mail, other apps that do not have pop-up triggering Auth app - Outlook works with normal password)
• App passwords can only be reset by user
• App backups require a personal Microsoft account

User - Manage/Change Authentication Methods (Direct Link)

• https://mysignins.microsoft.com/security-info - or - 
• Log into https://portal.office.com w/user account, in upper right-hand corner click 'View Profile', then 'Security Info'

Management (MFA) - Enable/Enforce/Disable

• Users > Active Users > Multi-Factor Authentication (Tab) - or Azure Portal > Users > Multi-Factor Authentication
• Select user to enable/disable MFA

Global Settings (Trusted IPs, Allow app passwords)

Reference - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#trusted-ips

• Log into https://portal.office.com as Global Admin
• Users > Active Users > Multi-Factor Authentication (Tab) > Service Settings (Not so obvious tab up top)
• App Passwords - By disallowing App passwords, users will need to use OWA (cant use Outlook?)
• Trusted IPs - Skips MFA on specific IP addresses
• Verification Options - Methods available to users (i.e. text message, mobile app)

Audit Logs

• Log into https://portal.azure.com w/domain admin account
• AAD > Users > Audit Logs