IT Solutions

Problems with Two-Factor Authentication in Microsoft 365? (2024)

Articles
April 2, 2024
Tech Tips

Original Article Published March 2018 | April 2024 Update at the End of the Original Copy.

We noticed that some people are having problems using Microsoft Office 365 with two-factor authentication (2FA) (also known as multi-factor authentication).

We have a few tips for you here.

First: It’s important to know that when your admin sets up 2FA for your Office 365 users, they must enable Modern Authentication (MA) for Exchange Online if users are accessing Exchange using Outlook 2016. (The versions of Microsoft Outlook before 2013 don’t support Modern Authentication.)  For details on how to enable MA for Exchange Online tenants, see Enable Modern Authentication in Exchange Online.

Second: You shouldn’t have any problem using 2FA with Microsoft’s mobile Office apps, Outlook Groups, Office 2016 desktop apps, and OneDrive for Business in Windows 10. However, other applications may be incompatible, so make sure you test all the apps in your organization before enabling 2FA.

How to Connect to Office 365 Security & Compliance Center PowerShell Using 2FA.

If you set up 2FA for tenant administrator accounts, they can’t sign in to Office 365 using PowerShell. Instead, you must set up a specialized account for administrators. To do this, you must install the Exchange Online Remote PowerShell Module and use the Connect-IPPSSession cmdlet to connect to the Security & Compliance Center PowerShell.

Important note from Microsoft: You can’t use the Exchange Online Remote PowerShell Module to connect to Exchange Online PowerShell and Security & Compliance Center PowerShell in the same session (window). You need to use separate sessions of the Exchange Online Remote PowerShell Module.

This is what Microsoft recommends you do:

  1. Open the Exchange admin center (EAC) for your Exchange Online. See Exchange admin center in Exchange Online.
  2. In the EAC, go to Hybrid> Setup and click the appropriate Configure button to download the Exchange Online Remote PowerShell Module for multi-factor authentication.
  3. In the Application Install window that opens, click Install.

Windows Remote Management (WinRM) on your computer should allow authentication by default. If basic authentication is disabled, you’ll get an error message. Now you should be able to sign into the Security & Compliance Center PowerShell by using 2FA.

After you sign in, the Security & Compliance Center cmdlets will be imported into your Exchange Online Remote PowerShell Module session and tracked by a progress bar. If you don’t receive any errors, you’ve done this successfully.

If not, and you receive errors, check the following requirements:

  • Limit your open remote PowerShell connections to three. This prevents denial-of-service (DoS) attacks.
  • Make sure the account you connect to the Security & Compliance Center is enabled for remote PowerShell. For more information, see Enable or disable access to Exchange Online PowerShell.
  • The TCP port 80 traffic must be open between your local computer and Office 365. It may not be if your organization has a restrictive Internet access policy.

How to Enable 2FA in the Office 365 Admin Portal

Two-factor authentication (multi-factor authentication) can be enabled for individual users or in bulk. Before continuing, be sure to install Microsoft Authenticator on your user’s mobile devices, (not Authenticator, a similar app from Microsoft but without support for push notifications).  Here’s what Microsoft says to do to enable 2FA one user at a time:

  • Log in to the Microsoft 365 admin portal using an administrator account.
  • In the menu on the left of the portal, expand Users and Active users.
  • In the list of users, click the user for which you want to enable 2FA. Note that only licensed users can use 2FA.
  • In the user’s pane, click Manage multi-factor authentication under More settings.
  • On the multi-factor authentication screen, select the user account to enable, and then click Enable under quick steps on the right.
  • In the About enabling multi-factor auth dialog box, click enable multi-factor auth.

The MULTI-FACTOR AUTH STATUS should change to Enabled. Close the browser window and sign out of the admin portal.  

How to Enroll an Account for 2FA

Once the feature is enabled, the user must now enroll for 2FA, and sign into Office 365 with their username and password, and then click Set it up now on the sign in screen and follow Microsoft’s instructions below:

  • On the Additional security verification screen, select Mobile app
  • Select Receive notifications for verification
  • Click Set up
  • Open the Microsoft Authenticator app on your phone and click Scan Barcode.
  • Use the camera on your phone to scan the barcode in the Configure mobile app You’ll then need to wait a couple of seconds while the app activates the new account.
  • Click Finished in the browser window.
  • Back on the Additional security verification screen, click Contact me.

The user will receive a notification on their phone. They should open it, and they’ll be taken to the Microsoft Authenticator app.

  • Click Verify to complete the sign-in process.
  • Click Close in the Microsoft Authentication app.
  • In the browser window, they must enter a number to receive verification codes in case they lose access to the Microsoft Authenticator app and click Next.

Web-based and mobile apps can use Microsoft Authenticator app verifications for 2FA logins, but Office desktop apps require an app password.

This final step provides the user with an app password for these apps.

  • They should copy the app password by clicking the copy icon to the right of the password and paste it somewhere safe. Click Finished.
  • They’ll be prompted to sign in again, this time by verifying the login using the Microsoft Authenticator app.

Important note from Microsoft:  If you want to use only Multi-Factor Authentication for Microsoft 365, don’t create a Multi-Factor Authentication provider in the Azure Management Portal and link it to a directory. Doing so will take you from Multi-Factor Authentication for Office 365 to the paid version of Multi-Factor Authentication.

We hope this helps. It can be complicated to implement the proper settings for two-factor authentication in Microsoft Office 365.  If you have any problems doing this, feel free to contact our Microsoft Experts.

April 2024 Update

As technology evolves, so do the methods we use to secure our data. Microsoft 365, formerly known as Office 365, has seen significant changes and improvements in its two-factor authentication (2FA) features to ensure enhanced security for all users. Here’s an update on what’s new and what has changed:

  1. Modern Authentication and Outlook Compatibility: Modern Authentication is now supported across all current versions of Outlook, including the latest releases post-2016. Users of Outlook 2019 and Outlook for Microsoft 365 receive full support for Modern Authentication, ensuring a seamless and secure user experience. Administrators must ensure that Modern Authentication is enabled across their Microsoft 365 environments to take full advantage of these security features.
  2. Updates to Two-Factor Authentication (2FA) Setup: The process for setting up two-factor authentication has been streamlined within the Microsoft 365 admin center. Users can now enable 2FA with fewer steps, and the interface has been redesigned for a more intuitive user experience. Additionally, the Microsoft Authenticator app has been updated to include more robust features, such as account recovery options and support for additional authentication methods.
  3. PowerShell Access with 2FA: Accessing Microsoft 365 services through PowerShell with 2FA enabled has been simplified with the introduction of the Microsoft 365 PowerShell Module, which replaces the older Exchange Online Remote PowerShell Module. This new module supports simultaneous connections to multiple Microsoft 365 services, reducing the complexity and improving the efficiency of administrative tasks.
  4. Security Recommendations and Best Practices: Microsoft has updated its security guidelines to include recommendations on managing remote PowerShell connections and network configurations. The limit on open remote PowerShell connections remains crucial to preventing denial-of-service (DoS) attacks. Additionally, ensuring that TCP port 80 and other necessary ports are open in accordance with organizational security policies is more critical than ever.
  5. Technological Updates: With the continuous updates to Microsoft 365, Windows Remote Management (WinRM) settings have also been revised. Basic authentication is phased out in favor of more secure methods, aligning with industry best practices for security. Users should verify that their system configurations adhere to the latest standards to avoid connectivity issues.

These updates ensure that Microsoft 365 remains at the forefront of secure enterprise collaboration tools. For any assistance or detailed guidance on implementing these new features, please consult the latest Microsoft 365 documentation or contact Microsoft support.

Have Questions?

We’ve got answers — fast, clear, and tailored to your needs. Let’s talk tech.

Let’s Talk