Authentificator mandatory for Microsoft Office?

Posted on 2024-05-08 by guenni

[German]Once again, I brought a topic out of the "crypt" that I had already addressed here in the blog at the end of March 2024. A blog reader contacted me at the end of April 2024 and asked whether there was an "authenticator requirement for Microsoft Office"? Microsoft is continuously moving forward to enforce multi-factor authentication on its products such as Microsoft 365/Office 365.

Advertising

A reader request

Blog reader Michael V. contacted me by email on April 24, 2024 with the subject "Authentificator enforcement for Microsoft Office?" because, as the global administrator of a Microsoft cloud instance, he had received an email from Microsoft. This email informed him of a change to the security standards for a named tenant.

According to the email, the tenant in question still uses legacy authentication protocols with login via user name and password. These legacy authentication protocols used are less secure than modern protocols and make it easier for attackers to capture login information.

These legacy protocols normally block the activation of security standards, writes Microsoft. However, special exceptions have been applied to allow users to continue using legacy authentication apps while users are already using multi-factor authentication for all other apps. These exceptions apply to apps that the user used on the specific tenant one month prior to Thursday, April 18, 2024.

It is stated that this client (tenant) will be switched to multi-factor authentication in the security default setting from Tuesday, May 21, 2024. This could block more than 99.9% of identity attacks. If the global administrator logs into the account between Tuesday, April 23, 2024 and Tuesday, May 21, 2024, a message will be displayed asking them to proactively activate the security standards. If the global administrator has not logged in or activated this setting after this time frame, the setting is automatically activated for the tenant.

From this point onwards, only a multi-level user login to the tenant is possible, for example with the Microsoft Authenticator app. The email that I have posted at the end of the article provides the global administrator with information on what to expect. Microsoft recommends informing users about the following points to avoid confusion:

Advertising
  • When users sign in, they will see a prompt to install the Microsoft Authenticator app and create an account for it. Users can do this immediately or postpone it until later. However, after 14 days, the option to defer will disappear and users will need to register for multi-factor authentication before they can sign in.
  • Users will need to follow the steps to set up the Microsoft Authenticator app to download the app to a mobile device and then register their account with the app.

Reader asked: Does this mean that EVERYONE in our country has to download an authenticator (and in the case of the MS solution, a potential tracker) to their personal cell phone? What if we don't want to/can't do that? More security is all well and good, but I can already hear the cry from my colleagues

Some information and discussion

At this point I would like to refer to my blog post Microsoft 365/Exchange Online enforces suddenly MFA via Microsoft Authenticator app from March 28, 2024, where I had taken up a corresponding reader message from Alex. His users had massive problems with Exchange Online because the Microsoft 365 applications suddenly required multi-factor authentication via Microsoft Authenticator app using a smartphone.

There I had roughly pointed out that the topic has been pending since May 2023 (see my blog post Microsoft moves tenant security standards in Azure AD to MFA by May 8, 2023). Microsoft has also published the support article Enabling security defaults in Microsoft Entra ID as of 24.11.2023. The level of discussion and information from the readership on this article is as follows

  • Microsoft has been switching more tenants to multi-factor authentication using the Microsoft Authenticator app via smartphone since March 2024.
  • A number of users whose administrators did not have the issue on their radar are then suddenly locked out because no Microsoft Authenticator app is installed.
  • There are cases where the switch to the Microsoft Authenticator app has been made, but users are still experiencing login problems because the process is not working.

Regarding the discussion about what companies do whose employees do not have a company cell phone for the purpose of installing the Microsoft Authenticator app, some users mentioned  that they use the hardware devices for OTP (One-Time-Pad). Hardware such as Yubikey could also be used to store access tokens, as other readers commented.

Advertising
This entry was posted in Office and tagged , . Bookmark the permalink.

One Response to Authentificator mandatory for Microsoft Office?

  1. JM says:
    2024-06-20 at 1:25

    One problem I've noticed over the past year as that Microsoft has started to require you to use MS Authenticator to generate your OTP codes. The QR codes they provide are no longer scannable in other apps like Authy.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).