I'm curious about how everyone approaches multi-factor authentication (MFA) for users in Microsoft 365. Specifically, what do you all do about users who never leave the office and don't possess a corporate mobile device? Do you require these users to enable MFA on their personal devices? We have a conditional access policy in place that blocks sign-ins for these users when they are outside the network, but I believe we should still look for a way to enroll them in MFA. I'm eager to hear your thoughts and options!
5 Answers
We opted for Duo hardware tokens for all our O365 users. Each user gets a token assigned through our DUO instance, which syncs external users for two-factor authentication. It’s been super secure, as long as they don’t leave their tokens next to their passwords!
We just integrated our cloud MFA provider with Entra. If a user logs in to Entra, they go through the provider for their authentication token. This works whether they are inside or outside the corporate network, ensuring everyone has to comply with MFA requirements.
We use Intune and Conditional Access policies. Users don’t have to use MFA when they’re connected to a trusted corporate network with a company-owned or compliant device. If they sign in from anywhere else, MFA kicks in. This keeps in-office users protected without burdening them with constant MFA prompts. We also have a policy that blocks sign-ins from outside the network for certain groups, but for the rest, it's a mix of trusted locations, compliant devices, and MFA enforcement.
We might need to expand this inside our network to prevent password sharing. With MFA in place, it could help avoid those situations.
In our setup, we have an MFA process with IP desk phones for users who don’t have mobile devices. When they need to authenticate, the system calls them to confirm the sign-in. It’s a bit old-school but it works well for us!
That’s interesting! What if not everyone has access to an external line?
MFA is a must for everyone, period. We dropped the idea of having non-compliant devices on the network. Even if they only work in the office, their accounts still need the extra security. Most users just install the Microsoft Authenticator app on their personal devices; if they refuse, we give them hard tokens. It's non-negotiable!
How do you handle shared devices and non-interactive sign-in, like for OneDrive?