Back in February, Microsoft announced the release of multi-factor authentication.  This feature allows IT administrators to dramatically increase the security of Office 365 by requiring a second factor of authentication to access the service.  This feature is very simple to configure and use.  It is far simpler to configure multi-factor authentication for Office 365 than it is to enable an equivalent solution on premises.  To learn more about multi-factor authentication, I recommend the following blog post:

http://blog.kloud.com.au/2014/04/16/protect-your-identity-in-the-cloud-with-multi-factor-authentication/

 

There are some limitations of multi-factor authentication that are important to be aware of before turning on this feature.  One key limitation is that PowerShell commands cannot be run with an account that has multi-factor authentication enabled.  Here is why:

1) Authentication of a PowerShell session only accepts a user name and password.  There is no way to provide a second factor.

2) Application passwords cannot be used to authenticate a PowerShell session

All Office 365 administrators will need to run PowerShell commands at some point to administer the service.  Therefore, multiple admin accounts will be required for different administrative scenarios.

 

Kloud Solutions recommends creating three separate Office 365 accounts for global admins who need to run PowerShell:

 

1) A standard user account to perform daily tasks such as checking email or accessing shared files.   This account will have an Office 365 license assigned.  Multi-factor authentication is not required for this account, but it is highly recommended.

2) A global admin account to perform administrative tasks.  This account should only be used when administrative access is required.  Because this account is privileged, I strongly recommend enabling multi-factor authentication to increase the level of security.

3) A global admin account to run PowerShell commands.  This account cannot be secured with multi-factor authentication.  So I recommend leaving it disabled until it is needed.  This will reduce the risk that the account will be compromised without requiring the second authentication factor.

 

If you are looking for assistance with Office 365, PowerShell, or multi-factor authentication, please contact Kloud Solutions at the following URL:

http://blog.kloud.com.au/

Category:
Office 365
Tags:

Join the conversation! 2 Comments

  1. I can’t believe how shitty it is on Azure.
    We have enabled it for all of our Administrator accounts for security purposes but it is really painful to deal with.

    It’s August 2015 now and they haven’t fixed this. We can’t login powershell. We can’t even activate office licenses

Comments are closed.