Our Blog



Why you need to turn on multi-factor authentication now

Microsoft’s identity-driven security summit for partners held on September 17th at its Redmond headquarters kicked off with a statistic to focus the mind.

Why you need to turn on multi-factor authentication now

Only 10 - 20 per cent of user accounts associated with Microsoft’s flagship Office 365 cloud-based productivity suite use multi-factor authentication (MFA).

MFA involves employing more than one method to verify your true identity. It could require entering a PIN in addition to a password, a SMS verification code or increasingly, using your fingerprint or a scan of your face to unlock a device.

For those with an Office 365 license or Azure AD plan, it involves regularly being asked to log-in and verify your credentials using the Microsoft Authenticator app on your smartphone. In essence, the app not only verifies who you are but what you have - the trusted device you’ve previously registered.

Identity issues

We’ve become used to MFA in banking and webmail apps. But in the workplace, there has been substantial resistance to rolling out MFA, which is increasingly the risk profile of many organisations.

After all, Your Office documents likely contain sensitive information about your organisation and intellectual property. Every day, Microsoft detects millions of attempts to infiltrated Office 365 accounts. They target IT systems with single-factor authentication and weak passwords. Phishing attacks are the most common threat vector as rogue actors hope to trick people into revealing their passwords by entering them into legitimate looking forms or website log-in screens.

Identity and password theft are real threats and one can be eliminated almost completely if MFA is in place.

The conference gave partners a glimpse of some of Microsoft’s emerging security features currently in alpha mode, while allowing us to test drive existing security features currently in beta mode. We also heard from Microsoft security experts including Sue Bohn, Director of Program Management in the Identity Division at Microsoft, and a 25 year veteran of the company.

The message was clear - multi-factor authentication is critical to the future of securing online apps and services. Microsoft is aiming to boost uptake of Office 365 MFA to 60 - 80 per cent next year.

So why do so many organisations using Office 365 forego using MFA? The reason is the same whether you are talking to businesses in Sydney or Seattle - the concern that it will have a negative impact on the user experience, frustrating people because they are left locked out of their own company systems.

IT managers worry about the complexity of setting up MFA and managing privileged accounts.

Both of these concerns are more imagined than real. Empired lives and breathes Office 365, we run our own business on it and have multi-factor authentication in place for nearly 1,000 people. Our people are out talking to clients and working remotely all the time. We need them to be able to access information on a wide range of devices. MFA is essential to keeping their work secure.

Everyone has a smartphone these days, so it isn’t a stretch in any modern workplace to make it the device of choice to enable MFA.

The response I often hear when I talk to IT managers is that they don’t really require MFA. “We are not a bank”, some of them will say. Maybe not, but can you imagine a hacker trawling through your company network, including every contract with your customers, every email exchange. You don’t have to be a bank or a government department handling classified documents to need to protect yourself.

Towards adaptive authentication

Microsoft has also done a lot of work to make MFA and identity security less intrusive through what it calls conditional access or adaptive authentication. It is like the next evolution of MFA and allows your identity to be verified and reverified as you move through your working day shifting between locations, devices and applications. It is using intelligence to create rules for when you need to actively confirm your identity.

This is the future of identity management and will take us towards password-less security, which is a good thing, because compromised credentials are currently responsible for 80 per cent of security breaches.

In the meantime it is essential to turn on MFA, particularly for admin and privileged accounts - those with the highest level of access to parts of your network. If you are running on--premises infrastructure, you can actually leverage Azure AD and Microsoft’s intelligent cloud-based tools to manage and monitor identity accounts for every employee.

Bohn told us that will multi-factor authentication in place, office 365 users are safe from 99.9 per cent of credentials attacks. It really is a no brainer and the capability are already there for office 365 license holders.

Here are five things you can do to secure your Office 365 environment

  • Turn on MFA for all your IT admins, then for everyone else!
  • Block legacy authentication that don’t enforce MFA and are no longer inherently secure
  • Test your conditional access policies before rolling them out more widely.
  • Make sure your global admins are running Windows 10 with Windows Hello for Business.
  • Create a culture in your organisation where security is understood, accepted and just becomes part of the modern workplace.


This post is part of the Modern Workplace blog series. At Empired we have great depth of experience in helping organisations on their journey to creating a modern workplace. Talk to us to find out how we can help you get started.

Your work, your way, securely

Posted by: Alan Schmarr, Practice Lead | 09 October 2019

Tags: Security, Digital Workplace, Collaboration, Microsoft Office 365, Modern Workplace, #workyourwaysecurely

Top Rated Posts

Blog archive

Stay up to date with all insights from the Empired blog