Microsoft 365 Account 2FA setup

Kelvin Cheung

Member
Joined
Oct 31, 2024
Messages
15
How to setup a specific list of users in Microsoft Sharepoint 365, the user must login with 2FA (i.e. Microsoft Authenticator App) , in order to enhance security of system?
 
Solution
Setting up a specific list of users in Microsoft SharePoint 365 to enforce Two-Factor Authentication (2FA) via the Microsoft Authenticator App involves configuring Conditional Access Policies in Azure Active Directory (Azure AD). This method ensures that the selected users must use multi-factor authentication (MFA) when accessing SharePoint and other services. Below are the detailed steps to set this up:

Step 1: Confirm License Requirements​

  • Ensure that your Microsoft 365 tenant includes the necessary Azure AD Premium P1 or P2 licenses since Conditional Access is a feature of these plans.
  • Check the license assignments for the specific users needing 2FA.

Step 2: Enable...​

Setting up a specific list of users in Microsoft SharePoint 365 to enforce Two-Factor Authentication (2FA) via the Microsoft Authenticator App involves configuring Conditional Access Policies in Azure Active Directory (Azure AD). This method ensures that the selected users must use multi-factor authentication (MFA) when accessing SharePoint and other services. Below are the detailed steps to set this up:

Step 1: Confirm License Requirements​

  • Ensure that your Microsoft 365 tenant includes the necessary Azure AD Premium P1 or P2 licenses since Conditional Access is a feature of these plans.
  • Check the license assignments for the specific users needing 2FA.

Step 2: Enable Multi-Factor Authentication (MFA) for the Selected Users​

  1. Login to Microsoft 365 Admin Center:
  2. Access Active Users:
    • Navigate to Users > Active Users.
  3. Enable MFA:
    • Select the users that require 2FA.
    • In the toolbar, choose Multi-Factor Authentication Setup.
    • Enable MFA for the selected users; this ensures that 2FA prompts will occur when accessing Microsoft 365.

Step 3: Create a Conditional Access Policy to Enforce MFA for SharePoint​

To enforce specific policies for SharePoint only:
  1. Login to Azure AD:
  2. Open Conditional Access:
    • In Azure AD, navigate to Security > Conditional Access.
  3. Create a New Policy:
    • Click + New policy and give it a descriptive name, e.g., "Require MFA for SharePoint."
  4. Select Users:
    • Under Assignments, go to Users or workload identities.
    • Select the option Users and groups, and then specify the users or groups requiring 2FA.
  5. Select Cloud Apps:
    • Under Cloud apps or actions, click Include and choose Select apps.
    • In the app selection menu, search for and select SharePoint Online.
  6. Set Conditions (Optional):
    • If you'd like to specify conditions such as device platform, location, or client app, define these under the Conditions section.
  7. Set Grant Controls:
    • Under Grant, select:
      • Require multi-factor authentication.
    • Click Select to apply the grant control.
  8. Enable the Policy:
    • Set the policy to Report-only mode first to monitor its effect without enforcing it immediately.
    • After testing, switch the policy to On to enforce it.

Step 4: Test the Conditional Access Policy​

  • Ask one of the affected users to log in to SharePoint Online and verify they receive a 2FA prompt via the Microsoft Authenticator App.
  • Address any unexpected issues during the testing phase.

Step 5: Monitor and Manage the Policy​

  • Monitor the policy’s effectiveness via Azure AD logs:
    • Navigate to Sign-ins in Azure AD to review the authentication logs.
  • If issues arise, refine the Conditional Access policy settings or exclusion criteria.

Additional Notes:​

  • Remember Backup Options:
    • Ensure users have backup methods configured (such as a phone number for SMS).
    • Train users on how to use the Authenticator App, including app setup, receiving verification codes, or approving push notifications.
  • Exclusions:
    • You may need to exclude certain service or admin accounts from the policy to avoid lockout scenarios.

By following these steps, you can enforce multi-factor authentication for specific users accessing Microsoft SharePoint Online, significantly enhancing the security of your system. Let me know if you encounter any challenges during setup!
 
Solution