Set up multi-factor authentication for Office 365 users

Summary:    Learn how to set up multi-factor authentication (MFA) for Office 365 users.

Notes: Azure multi-factor authentication is a method of verifying who you are that requires the use of more than just a username and password. Using MFA for Office 365, users are required to acknowledge a phone call, text message, or app notification on their smart phones after correctly entering their passwords. They can sign in only after this second authentication factor has been satisfied.

A form of multi-factor authentication is included with Office 365, but you can also purchase Azure multi-factor authentication that includes extended functionality. For more information, see feature comparison of Azure multi-factor authentication versions.

Set up multi-factor authentication in the Office 365 admin center
  1. Sign in to Office 365 with your work or school account.

  2. Go to the Office 365 admin center.

  3. Navigate to Users > Active users. Your screen should look like one of the following:

    Active users in Office 365 admin center
  4. In the Office 365 admin center, click More > Setup azure multi-factor auth.

    Set up multifactor authentication

    If you're still using the old Office 365 admin center, next to Set Multi-factor authentication requirements, choose Set up.

    Set up multifactor authentication.
  5. Find the user or users who you want to enable for MFA. In order to see all the users, you might need to change the Multi-Factor Auth status view at the top.

    The views have the following values based on the MFA state of the users:

    • Any    Displays all users.

    • Disabled    This is the default state for a new user not enrolled in multi-factor authentication.

    • Enabled    The user has been enrolled in multi-factor authentication, but has not completed the registration process. They will be prompted to complete the process the next time they sign in.

    • Enforced    The user may or may not have completed registration. If they have completed the registration process then they are using multi-factor authentication. Otherwise, the user will be prompted to complete the process at next sign-in.

  6. Check the check box next to the users you want to enable.

    Users selected for MFA.
  7. On the right user info pane, under quick steps you'll see Enable and Manage user settings. Choose Enable.

  8. In the dialog box that opens, click enable multi-factor auth.

Allow MFA users to create App Passwords for Office client applications

Multi-factor authentication is enabled per user. This means that if a user is enabled for multi-factor authentication and they are attempting to use non-browser clients, such as Outlook 2013 with Office 365, they will be unable to do so. An app password allows this to occur. An app password, is a password that is created within the Azure portal that allows the user to bypass the multi-factor authentication and continue to use their application.

Important: All the Office 2016 client applications support multi-factor authentication through the use of the Active Directory Authentication Library (ADAL). This means that app passwords are not required for Office 2016 clients.

  1. Go to the Office 365 admin center.

  2. Navigate to Users > Active users. Your screen should look like one of the following:

    Active users in Office 365 admin center
  3. In the Office 365 admin center, click More > Setup azure multi-factor auth.

    Set up multifactor authentication

    If you're still using the old Office 365 admin center, next to Set Multi-factor authentication requirements, choose Set up.

    Set up multifactor authentication.
  4. In the multi-factor authentication page, choose service settings.

    MFA service settings.
  5. Under app passwords, choose Allow users to create app passwords to sign into non-browser applications.

    This allows users to use client Office applications, but they will have to enter a password of their choosing first.

  6. Click Save, and then Close.

  1. In the multi-factor authentication page, check the box next to the user or users you want to manage.

  2. In the user info pane on the right, you'll see two options: Enable and Manage user settings. Choose Manage User settings.

  3. In the Manage user settings dialog, check one or more of the options: Require selected users to provide contact methods again, Delete all existing app passwords generated by the selected users, or Restore Multi-Factor Authentication on all suspended devices.

  4. Click Save.

You can bulk update the status for existing users using a CSV file. The CSV file will be used only for enabling or disabling multi-factor authentication based on the user names present in the file. It is not used to create new users.

  1. In the multi-factor authentication page, click bulk update.

  2. Browse for the file that contains the updates. The column headings in your file must match the column headings in the following example:

    bulk update CSV sample file

Instructions for your users once MFA is set up

After you have enabled MFA on your tenant, your users can follow these instructions to set up their second sign-in method for Office 365:

See Also

Plan for multi-factor authentication for Office 365 Deployments

How Azure multi-factor authentication works

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×