Microsoft are now recommending that all cloud user accounts that deal with sensitive information are protected with Multi Factor Authentication. This is where in addition to your password, you’ll be sent an approval request on a device you own (usually your mobile phone) via a text message, phone call, or app notification to verify it’s really you entering the password, and that it hasn’t been compromised.
From Wikipedia:
Multi-factor authentication (MFA) is an authentication (https://en.wikipedia.org/wiki/Authentication) method in which a computer user (https://en.wikipedia.org/wiki/Computer_user) is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication (https://en.wikipedia.org/wiki/Authentication) mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is)
Once enabled for your account, and you’ll need to set up the authentication method you prefer using the link below.
We’d recommend downloading the Microsoft authenticator app and using that as the primary method:
Android: Microsoft Authenticator on Google play
Apple: Search “Microsoft Authenticator” in the App Store
This will then use the push notifications system on your mobile to accept/reject MFA logins with a single press.
Important
You won’t need to verify every authentication – we’ll set company offices up as “trusted” locations, and generally it will only be when the system detects a change in circumstances, e.g. logging in from a café.
If you receive a surprise MFA notification, i.e. you're not trying to log in, you are always better to reject it - this will stop a hacker in their tracks, and at most, cause minor inconvenience to you as you'll just need to re-authenticate if it turns out it was another device you own (e.g. your mobile) trying to log in on your behalf.
When Does MFA Issue a Challenge? Why Don't I get a Challenge Each Time I login?
MFA issues a trust ticket to the user/device combination, based on the circumstances at the time of sign in. If those circumstances change, the ticket becomes invalid, and MFA checks if the login can be trusted again. Circumstances include:
- Sign in location (determined by the internet connection)
- Device logged into
- Trust status of that device (i.e. does it meet the current security policy)
- Risk state of the user (have they recently logged in, changed their password, logged in from another location)
So signing into a different machine - even an company one - will trigger an MFA check.
You won't get challenged each time you login, as it would become both tedious and second nature just to accept every MFA challenge that arrives - making the whole process defunct. That's why once issued to a user/device combination, the trust ticket usually lasts 14 days, before requiring another challenge (if circumstances don't change). We also set the MFA policies up to trust certain circumstances more than others - for example, if you're using a trusted device, in a trusted location, MFA isn't usually required.