How to setup Microsoft Authenticator for Office 365

What is Multi-Factor Authentication (MFA)?

Authentication is the process of proving you are who you say you are. In the world of IT we usually do this by providing a username (stating who you are) and password (providing something only you should know, to help prove it's you).

Multi-factor authentication goes one step further, by requiring an additional factor of authentication.

There are three types of authentication factors typically used in MFA:

Something you know, like a password or PIN
Something you have, like an authenticator app or security key
Something you are, such as biometrics (e.g. fingerprint, facial recognition, etc)

Your second factor should always be a different type to your first factor. For example, a password and a PIN are both 'something you know', and therefore together wouldn't constitute MFA. But having a password and a security key would be suitable, as one of the factors is 'something you know' and the other is 'something you have'.

Why do we need MFA?

The Cyber Essentials security standard has now made it mandatory for all cloud user accounts to have MFA enabled. For organisations who are certified to the standard, or wishing to achieve the standard, you must now implement MFA. This standard is set by the UK's National Cyber Security Centre and is considered the minimum level of cyber security which organisations should be operating to.

There are a number of reasons behind this change. But in short, passwords (on their own) are no longer fit for purpose.

Relying only on a password to prevent unauthorised access to an account carries a lot of risk, especially with the wide adoption of cloud services and remote working as most applications and services are now accessible from anywhere, for anyone to attempt to login to.

Passwords place a burden on users, to ensure they create strong and unique passwords for every account they use. But as many of us know, this isn't convenient, so passwords end up being re-used across multiple accounts, or only contain minor alterations, such as capitalising the first letter, or adding a '1' or '!' to the end of them, which are fairly easy for attackers to overcome.

Billions of leaked passwords are also now available online for those wanting to find them. You can find out for yourself if your account was part of any of the well known data leaks of the last few decades by typing your email address into this website: https://haveibeenpwned.com (if your account has been compromised, be sure to change your password immediately. Password managers, like the ones built into most web browsers or Android and Apple devices, will be able to generate a strong password for you, as well as store it securely, saving you having to remember it).

How to setup MFA in Office 365

Open your web browser and go to https://aka.ms/mysecurityinfo
If you're not already signed in, you will be prompted to login using your work email address and password.
Select the "Add sign-in method" option.
Select "Authenticator app" from the drop down list and click "Add" ("Phone" or "SMS" may be listed as an option here, but Microsoft are forcibly migrating users to other options and eventually "Phone" / "SMS" will be removed entirely due to its vulnerabilities. Please feel free to reach out to us if you have any questions regarding this).
If you haven't already, install the Microsoft Authenticator app on your Android or Apple mobile phone.
This app does not have any control or monitoring capabilities, and just serves as an authenticator app for MFA, in the same way other authentication apps work, such as Google Authenticator.

To download the Microsoft Authenticator app for Apple devices click here or scan this QR code: To download the Microsoft Authenticator app for Android devices click here or scan this QR code:
Back on the Microsoft web page, click "Next" and "Next" again.
In the Microsoft Authenticator app on your mobile phone, select the "+" symbol in the top right-hand corner and then "Work or school account". Now select the "Scan QR code" option and scan the QR code on your computer screen. Click "Next".
Important: Microsoft will now ask you to test the Authenticator app by entering the number on your computer screen into the Microsoft Authenticator app on your mobile phone. If you don't complete this step the setup will not be complete and you may not be able to login again. Once done, click "Yes" on your mobile phone, and then "Next" on your computer.
You're now all set! Your Microsoft Authenticator app will now be listed as one of your sign-in methods on the "Security info" web page and your account will be listed on your Microsoft Authenticator app on your mobile phone.