O365 Enable 2FA On Existing O365 Win 2016 RDP Users

In this tutorial I'm going to show you how to convert existing O365 users with 2FA disabled to O365 users with 2FA enabled. The scenario I'm working under in this example are users who have existing O365 logons in a Win 2016 RDP environment who we're migrating to 2FA, but this process will work even under a standard PC environment.

What is 2FA? 2FA stands for Two Factor Authentication which, when enabled, gives your users and company an additional layer of security which is applied to each users O365 account.

How does it do this? It forces the user to apply their mobile phone number to their O365 account and this phone number is used as part of any logon procedure when accessing their O365 account. So not only do they have to provide the email address and password, but a numeric code is sent via a text message to their phone as part of the logon procedure.

Why is this important? This is important for a number of reasons, not least of which, it protects your company's data even if a hacker obtains your O365 username and password. They can't access your account without the code that is sent to your phone. Therefore, the username and password they have obtained by deception are rendered useless, preventing the hackers access to your company data.

Let's get started. First log onto your O365 admin portal via the link below:

https://portal.office.com/

Now follow the steps outlined below:

You've now completed the 2FA enabling process for the nominated users, by selecting each users check box. If you have hundreds of users I'd recommend you stage the roll out of 2FA. By this I mean, perhaps do 25 users a day to ensure you don't get inundated with support calls.

Also, ensure you have a comprehensive "How To" document sent out to all your users a few weeks prior to carrying out this process to give users ample time to digest and be aware of the impending change.

As outlined at the start of this document, I'm carrying out this 2FA upgrade on an existing Win 2016 RDP Environment where users have previously already signed onto O365, prior to 2FA being enabled. This adds an additional level of complexity to this procedure that needs to be outlined to ensure you're fully aware of the requirements.

When the user logs onto their RDP desktop, they'll open Outlook to access their email, but because they've already signed onto O365, they won't be prompted to go through the setup of Two Factor Authentication process. To force this process to be triggered, I recommend users be asked to log out of their O365 account. To do this from Outlook, follow the process outlined below:

Once you've closed Outlook, re-open it and you will now be prompted to go through the Two Factor Authentication setup procedure, which is outlined below:

You'll now be prompted to provide additional information to setup the Two Factor Authentication. Follow the steps outlined below:

You've now completed the 2FA user account upgrade process. This should improve the security for your users Office 365 accounts to help protect your company's email and data.

There is an additional step if you want to setup your email account on your iPhone, iPad or Android device. The reason for this is a lot of these devices and their standard email clients don't currently support Modern Authentication so therefore we need to treat them differently. This is slowly changing, but just in case your device doesn't support 2FA, we'll cover that scenario below. Alternatively, you could simply download and install the Microsoft Outlook client for your mobile device and that works with 2FA without issue.

If you insist on using your mobile devices standard email client and not migrate to the MS Outlook client, then read on. On your computer, open up a browser and go to the following address:

https://aka.ms/CreateAppPassword

Now log on to the account you wish to gain access for your mobile device using your credentials and if you've done everything as outlined in this tutorial, you should also be prompted with the 2FA authentication as part of the logon process. Now follows the steps below to setup your mobile device password.

I realise that this is a little cumbersome and counter intuitive, but until these mobile devices both Android and Apple, start to support Modern Authentication, this is the best work around in the interim.

If you have any comments, please leave them in the comments section below. Hope this has helped you get a better grasp of 2FA, it's advantages and the various gotchas.

No Comments Yet.

Leave a comment