Office 365 Multi-factor Authentication Best Practices
In practice, multi-factor authentication (MFA) in Office 365 refers to dual-factor authentication and since MS will likely introduce additional options in the future, hence the MFA moniker.
Once enabled – aside from entering username/password combo – users are also prompted to acknowledge a text message, phone call, or app notification interactively on their smartphone, tablet or other device.
Remember the fallout after major MFA outage in November 2018, when a lot of users across the globe found themselves locked out of Office 365 portal for hours?
That episode begs many questions about managing MFA like:
- What if Office 365 admin account is locked out?
- What if there’s a major cell-network meltdown or identity-provider outage?
- What is my fallback plan if my users can’t access O365 resources because of MFA malfunction?
Here are best practice guidelines for managing MFA:
Create two or more emergency access break-glass admin accounts
The emergency access accounts should not be associated with any individual and not connected with any mobile phones, hardware tokens assigned to a user. These accounts should be cloud-only accounts that use the onmicrosoft.com domain and not synchronized with on-premises environment.
Exclude break-glass admin accounts from MFA
Emergency access accounts must be excluded from multi-factor authentication requirement imposed by any access policies. Additionally, make sure the accounts do not have a per-user multi-factor authentication policy.
Create strong passwords
Use randomly generated, a 16-character minimum password length passwords. Set password to never expire.
Keep passwords offline in a safe location
Make sure to keep the emergency access account passwords printed/written on paper in a fireproof safe(s) that are in secure, in multiple locations. Make sure these credentials are known only to key personnel that are authorized to use them.
Test emergency access on regular basis
Include validating of the emergency access accounts as integral part of disaster recover (DR) drills or perform it a few times a year. Validate emergency access accounts by signing in to O365 portal and performing admin functions. Ensure that the emergency break glass process is up to date and documented. Train the key staff and security officers on disaster recovery process and practice DR drills .