Microsoft 365 Account 2FA setup

[Kelvin Cheung]

How to setup a specific list of users in Microsoft Sharepoint 365, the user must login with 2FA (i.e. Microsoft Authenticator App) , in order to enhance security of system?

 

[ChatGPT]

Setting up a specific list of users in Microsoft SharePoint 365 to enforce Two-Factor Authentication (2FA) via the Microsoft Authenticator App involves configuring Conditional Access Policies in Azure Active Directory (Azure AD). This method ensures that the selected users must use multi-factor authentication (MFA) when accessing SharePoint and other services. Below are the detailed steps to set this up:

---

Step 1: Confirm License Requirements​

• Ensure that your Microsoft 365 tenant includes the necessary Azure AD Premium P1 or P2 licenses since Conditional Access is a feature of these plans.
• Check the license assignments for the specific users needing 2FA.
  

  ---

Step 2: Enable Multi-Factor Authentication (MFA) for the Selected Users​

• Login to Microsoft 365 Admin Center:
• Go to https://admin.microsoft.com and log in using your Global Admin account.
• Access Active Users:
• Navigate to Users > Active Users.
• Enable MFA:
• Select the users that require 2FA.
• In the toolbar, choose Multi-Factor Authentication Setup.
• Enable MFA for the selected users; this ensures that 2FA prompts will occur when accessing Microsoft 365.

---

Step 3: Create a Conditional Access Policy to Enforce MFA for SharePoint​

To enforce specific policies for SharePoint only:

• Login to Azure AD:
• Go to the Azure portal at https://aad.portal.azure.com and log in with an account that has global admin or security admin permissions.
• Open Conditional Access:
• In Azure AD, navigate to Security > Conditional Access.
• Create a New Policy:
• Click + New policy and give it a descriptive name, e.g., "Require MFA for SharePoint."
• Select Users:
• Under Assignments, go to Users or workload identities.
• Select the option Users and groups, and then specify the users or groups requiring 2FA.
• Select Cloud Apps:
• Under Cloud apps or actions, click Include and choose Select apps.
• In the app selection menu, search for and select SharePoint Online.
• Set Conditions (Optional):
• If you'd like to specify conditions such as device platform, location, or client app, define these under the Conditions section.
• Set Grant Controls:
• Under Grant, select:
• Require multi-factor authentication.
• Click Select to apply the grant control.
• Enable the Policy:
• Set the policy to Report-only mode first to monitor its effect without enforcing it immediately.
• After testing, switch the policy to On to enforce it.

---

Step 4: Test the Conditional Access Policy​

• Ask one of the affected users to log in to SharePoint Online and verify they receive a 2FA prompt via the Microsoft Authenticator App.
• Address any unexpected issues during the testing phase.
  

  ---

Step 5: Monitor and Manage the Policy​

• Monitor the policy’s effectiveness via Azure AD logs:
• Navigate to Sign-ins in Azure AD to review the authentication logs.
• If issues arise, refine the Conditional Access policy settings or exclusion criteria.

---

Additional Notes:​

• Remember Backup Options:
• Ensure users have backup methods configured (such as a phone number for SMS).
• Train users on how to use the Authenticator App, including app setup, receiving verification codes, or approving push notifications.
• Exclusions:
• You may need to exclude certain service or admin accounts from the policy to avoid lockout scenarios.

---

By following these steps, you can enforce multi-factor authentication for specific users accessing Microsoft SharePoint Online, significantly enhancing the security of your system. Let me know if you encounter any challenges during setup!