buchachon - Fotolia


Microsoft expands Office 365 MFA support, but snags remain

Administrators can use multifactor authentication to lock down Office 365, but the newer Azure Active Directory PowerShell module that ties services together has some drawbacks.

While a cloud service is a boon to users who need access to various resources no matter where they are, it gives attackers another avenue to break in and wreak havoc on the enterprise.

Multifactor authentication (MFA) adds another layer of security to protect organizations against data breaches -- even when passwords fall into the wrong hands. Because of the added exposure that comes with using a cloud service, more administrators have established an Office 365 MFA setup to prevent outsiders from gaining access.

Microsoft added support for multifactor authentication to Azure Active Directory (AD) PowerShell, version 1.0, in 2015; however, the feature lacked the ability to connect to other Office 365 services with MFA-enabled accounts. The company updated the module to version 2.0 in 2017 to provide that functionality. Each Office 365 service requires its own module, listed below:

Complications with PowerShell modules

The Office 365 MFA update helps secure access to cloud services, but there is a downside. Because every service has its own module, they do not share tokens. When an authorization against Exchange Online with an MFA-enabled account occurs, the other modules cannot reuse the authorization token. To connect to other services, the authorization process must repeat. Organizations with more service-oriented management roles likely will not encounter this issue; for example, some Exchange administrators are more likely to connect only to Exchange Online and occasionally to Azure Active Directory.

Additionally, the newer module's cmdlets used to connect to the Office 365 service with an MFA-enabled account differ from their regular cmdlet counterparts -- and the options are inconsistent. This is contrary to version 1.0 of the Azure Active Directory module, which allows the use of the same cmdlet (Connect-MsolService) for both MFA and non-MFA accounts. Version 1.0 also permits the specification of the Credentials parameter in both scenarios, after which the module checks if additional MFA authentication is required.

Here is a short overview of the cmdlets that connect to various Office 365 services with non-MFA-enabled and MFA-enabled accounts:


Non-MFA account

MFA-enabled account

Exchange Online

 -ConnectionUri https://outlook.office365.com/
 -Credential $Credentials
 -Authentication Basic
-SessionOption $SessionOptions

 -ConnectionUri https://outlook.office365.com/
 -UserPrincipalName $UserID

Skype for Business Online

 -Credential $Credentials

New-CsOnlineSession -Username $UserID

SharePoint Online

 -url $TenantURL
 -Credential $Credentials

 -url $TenantURL

Azure Active Directory, module version 1.x

Connect-MsolService -Credential $Credential

 -Credential $Credential

Azure Active Directory, module version 2.x

Connect-AzureAD -Credential $Credential


As the table shows, it's not always an option to provide credentials directly to the module. If an administrator omits the Credentials parameter when connecting to Skype for Business Online, for example, the Office 365 MFA authentication process gets triggered. Using that same module, it can be confusing when a logon fails after specifying the Credential parameter for an MFA-enabled account. There isn't an ability to provide additional session options through the Exchange Online MFA PowerShell module, such as timeout settings or proxy configuration. For the proxy, the module uses the system Internet Explorer configuration.

Another item to be aware of: If the PowerShell session times out, you need to fully reconnect and go through MFA approval process again. With version 1.0 of the Azure Active Directory module, PowerShell would just reconnect with the cached credentials when entering a cmdlet.

Script simplifies the Office 365 MFA connection process

It can be difficult to remember how to connect to different Office 365 services, especially with newer MFA authentication variations. To make it easier, add the following script to the PowerShell profile.

The script detects the installed modules and shares a link to download any missing modules. It also detects MFA-supported modules and prompts for credentials, and asks if the module should use MFA when authenticating.

PowerShell script
Use a PowerShell script to connect to different Office 365 services with the same credentials.

Microsoft enhances other authentication offerings

Microsoft also made other authentication-focused updates. The company continues to improve the Authenticator app, which can authorize MFA requests for non-Microsoft accounts, such as Facebook and WordPress. More recently, Microsoft added a feature called Phone Sign-In, which lets a trusted device approve access to Microsoft accounts. This streamlines the authentication process and enables users to approve or deny authorization requests with their phones.

Next Steps

Microsoft develops more defenses for Office 365

How Exchange administrators can lock down the email system

Security features in Office 365 all admins should know

Dig Deeper on Office 365 and Microsoft SaaS setup and management