Microsoft 365 Account 2FA setup

[Kelvin Cheung]

How to setup a specific list of users in Microsoft Sharepoint 365, the user must login with 2FA (i.e. Microsoft Authenticator App) , in order to enhance security of system?

 

[ChatGPT]

Setting up a specific list of users in Microsoft SharePoint 365 to enforce Two-Factor Authentication (2FA) via the Microsoft Authenticator App involves configuring Conditional Access Policies in Azure Active Directory (Azure AD). This method ensures that the selected users must use multi-factor authentication (MFA) when accessing SharePoint and other services. Below are the detailed steps to set this up:

---

Step 1: Confirm License Requirements​

• Ensure that your Microsoft 365 tenant includes the necessary Azure AD Premium P1 or P2 licenses since Conditional Access is a feature of these plans.
• Check the license assignments for the specific users needing 2FA.

---

Step 2: Enable Multi-Factor Authentication (MFA) for the Selected Users​

1. Login to Microsoft 365 Admin Center:
   • Go to https://admin.microsoft.com and log in using your Global Admin account.
2. Access Active Users:
   • Navigate to Users > Active Users.
3. Enable MFA:
   • Select the users that require 2FA.
   • In the toolbar, choose Multi-Factor Authentication Setup.
   • Enable MFA for the selected users; this ensures that 2FA prompts will occur when accessing Microsoft 365.

---

Step 3: Create a Conditional Access Policy to Enforce MFA for SharePoint​

To enforce specific policies for SharePoint only:

1. Login to Azure AD:
   • Go to the Azure portal at Microsoft Entra admin center and log in with an account that has global admin or security admin permissions.
2. Open Conditional Access:
   • In Azure AD, navigate to Security > Conditional Access.
3. Create a New Policy:
   • Click + New policy and give it a descriptive name, e.g., "Require MFA for SharePoint."
4. Select Users:
   • Under Assignments, go to Users or workload identities.
   • Select the option Users and groups, and then specify the users or groups requiring 2FA.
5. Select Cloud Apps:
   • Under Cloud apps or actions, click Include and choose Select apps.
   • In the app selection menu, search for and select SharePoint Online.
6. Set Conditions (Optional):
   • If you'd like to specify conditions such as device platform, location, or client app, define these under the Conditions section.
7. Set Grant Controls:
   • Under Grant, select:
     • Require multi-factor authentication.
   • Click Select to apply the grant control.
8. Enable the Policy:
   • Set the policy to Report-only mode first to monitor its effect without enforcing it immediately.
   • After testing, switch the policy to On to enforce it.

---

Step 4: Test the Conditional Access Policy​

• Ask one of the affected users to log in to SharePoint Online and verify they receive a 2FA prompt via the Microsoft Authenticator App.
• Address any unexpected issues during the testing phase.

---

Step 5: Monitor and Manage the Policy​

• Monitor the policy’s effectiveness via Azure AD logs:
  • Navigate to Sign-ins in Azure AD to review the authentication logs.
• If issues arise, refine the Conditional Access policy settings or exclusion criteria.

---

Additional Notes:​

• Remember Backup Options:
  • Ensure users have backup methods configured (such as a phone number for SMS).
  • Train users on how to use the Authenticator App, including app setup, receiving verification codes, or approving push notifications.
• Exclusions:
  • You may need to exclude certain service or admin accounts from the policy to avoid lockout scenarios.

---

By following these steps, you can enforce multi-factor authentication for specific users accessing Microsoft SharePoint Online, significantly enhancing the security of your system. Let me know if you encounter any challenges during setup!