Office 365 Multi-factor Authentication Best Practices

In practice, multi-factor authentication (MFA) in Office 365 refers to dual-factor authentication and since MS will likely introduce additional options in the future, hence the MFA moniker.

Once enabled – aside from entering username/password combo – users are also prompted to acknowledge a text message, phone call, or app notification interactively on their smartphone, tablet or other device.

Remember the fallout after major MFA outage in November 2018, when a lot of users across the globe found themselves locked out of Office 365 portal for hours?

That episode begs many questions about managing MFA like:

What if Office 365 admin account is locked out?
What if there’s a major cell-network meltdown or identity-provider outage?
What is my fallback plan if my users can’t access O365 resources because of MFA malfunction?

Here are best practice guidelines for managing MFA:

Create two or more emergency access break-glass admin accounts

The emergency access accounts should not be associated with any individual and not connected with any mobile phones, hardware tokens assigned to a user. These accounts should be cloud-only accounts that use the onmicrosoft.com domain and not synchronized with on-premises environment.

Exclude break-glass admin accounts from MFA

Emergency access accounts must be excluded from multi-factor authentication requirement imposed by any access policies. Additionally, make sure the accounts do not have a per-user multi-factor authentication policy.

Create strong passwords

Use randomly generated, a 16-character minimum password length passwords. Set password to never expire.

Keep passwords offline in a safe location

Make sure to keep the emergency access account passwords printed/written on paper in a fireproof safe(s) that are in secure, in multiple locations. Make sure these credentials are known only to key personnel that are authorized to use them.

Test emergency access on regular basis

Include validating of the emergency access accounts as integral part of disaster recover (DR) drills or perform it a few times a year. Validate emergency access accounts by signing in to O365 portal and performing admin functions. Ensure that the emergency break glass process is up to date and documented. Train the key staff and security officers on disaster recovery process and practice DR drills .

Penn Asian Senior Services

13:23 25 Jul 19

Penn Asian Senior Services (PASSi) has worked with Kontech on numerous occasions, and what we've consistently observed is service that combines top-notch knowledge with care & attention to detail. We are a nonprofit that provides services throughout the Greater Philadelphia area from our home base in East Oak Lane -- as may be the case with many nonprofits of a similar size, we come across a wide variety of IT needs within the office, many of which we try to handle in-house. However, there are times where we really do need the guidance/assistance of professional IT consulting. And, whenever we have this need, Kontech is our go-to solution -- we highly recommend the company, which we find to be trustworthy with fairly-priced services. - PASSi

Anita Rodriguez Morrison

18:05 02 May 19

Greetings from Michigan! Our company contacted KonTech IT Services to take care of a UPS battery install for our customer with an office in Philadelphia. KonTech did an awesome job with the installation and documentation. WE will definitely use them again when business takes us back to PA!

Keith Dewey

19:04 12 Feb 19

Working in a demanding field like the hospitality business we are in constant need of upgrades and installations to better our IT systems. Kontech IT services is a solid company that helps us with all our IT needs in a timely and professional manner. Their techs are very knowledgeable and great at making recommendations for your systems as well. I recommend Kontech anyday!!

Haley Klinghoffer

11:34 17 Aug 18

Very responsive and reliable! They have been able to solve all of our technological nightmares. Highly recommend!!

Sambath Phea

01:32 19 May 18

Highly recommend Kontech IT Services for your electrical needs. We had them install a video door bell with 3 indoor monitors and 3 surveillance cameras. Till this day, any questions or troubleshooting we need help with, Kontech IT Services are just a phone call or an email away.

Technolo Sales

19:34 01 Mar 18

We use Kontech IT Services for all our cabling needs in the Philly area. We love the quality of work and their range of expertise. We would highly recommend these guys.

Adam Schran

16:56 21 Feb 18

Konrad visited us and was able to solve a tricky network cabling issue that others were not able to fix. Plus, he explained why it happened and what else we could do to optimize our network equipment and cabling. Friendly, super intelligent guy we would welcome back to our premises any time for additional work as needed. Highly recommended.

brian seyller

12:53 29 Sep 17

Kontech has gone above and beyond to help me with our customers. I would highly recommend using them!