Office 365: Multi-Factor Authentication and Password Security gotcha’s
When surfing to your office 365 tenant you can get an alert that your password is going to expire in XX days.
http://gokanx.files.wordpress.com/2014/01/1.png?w=600&h=214
I tried to change/reset the password but failed to do it. On Microsoft Answers I found that we could manage our password expiration policy and therefore we need to surf to: Office 365 admin center > service settings > passwords.
http://gokanx.files.wordpress.com/2014/01/11.png?w=1200&h=360
But In this user interface we cannot set an account to “not expire” however, as a workaround; we can set the Days before the passwords expire to a maximum of 730 days (2 years). It could be a workaround but it isn’t. I need to disable this.
After searching a while it seems that with Office 365, everything seems to be (very) easy in PowerShell. I also found that in office 365 you only need two lines to disable the password policy.
http://gokanx.files.wordpress.com/2014/01/12.png?w=1200&h=360
First open the Microsoft Online Services Module for Windows PowerShell and notify the same alert appearing at the Task bar (Download: 32bit or 64bit).
http://gokanx.files.wordpress.com/2014/01/13.png?w=1200&h=998
You have to connect to your Office 365 tenant and therefore you need to use the **connect-MsolService **command. This will open you a little sign-in box where you need to insert the Office365 Administrator User Name and Password.
- Username: gokanx@meloon.onmicrosoft.com
- Password: *************************
You should now be connected to your O365 Tenant. Hit the following to get an overview of your account: get-msoluser |fl
http://gokanx.files.wordpress.com/2014/01/14.png?w=600
You can see that the PasswordNeverExpires attribute/property hasn’t any value. With the following PowerShell command you can enable this: Get-MsolUser | Set-MsolUser –PasswordNeverExpires $True
http://gokanx.files.wordpress.com/2014/01/15.png?w=1200&h=186
http://gokanx.files.wordpress.com/2014/01/16.png?w=600
Finally; your user has now a password that never will expire but is will every corporate accept this? Is this secure enough? I have my doubts… So let’s check what more we can do with passwords on Office 365.
Password Best Practices
According to Cogmotive a few Best Practices for Office 365 Password can be divided in in multiple parts like:
1 Use complex and long Passwords
According to TechNet Passwords must contain characters from three of the following five categories:
- Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- Base 10 digits (0 through 9)
- Nonalphanumeric characters: ~!@#$%^&*_-+=`|\){}[]:;”‘<>,.?/
- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
2 Use a Managed Account for your Admin User
Like as SharePoint Server you can create Managed Accounts for your Office 365 Tenant. Let’s take the example that you have an Office 365 account called gokanx@meloon.onmicrosoft.comthat you use everywhere (Exchange, Server, Lync, Managing Office365…). Bad choice! You should create a separate account called office365ga@meloon.onmicrosoft.com that has Global Administrator role and use this account only for logging in to the Microsoft Portal/PowerShell.
This user account doesn’t even require an Office 365 license as it most likely doesn’t need a mailbox. This means you will not be charged by Microsoft for this additional Administrative account.
Let’s create a generic Managed Account. Surf to the users and groups on the Office 365 Administration Center and hit the little “+”.
http://gokanx.files.wordpress.com/2014/01/17.png?w=1200&h=216
Provide a First Name, Last name and a User Name and hit Next.
http://gokanx.files.wordpress.com/2014/01/18.png?w=600
We have to select a role to our Office 365 Global Administrator. As we are creating a Global Administrator please select **Global Administrator role **and provide NON-OnMicrosoft email address in case of you forget your password.
http://gokanx.files.wordpress.com/2014/01/19.png?w=1200&h=468
A few times ‘Next’ and your user is created and ready for use! Please don’t forget to remove the Global Administrator role(s) from all previous person(s) to complete this action.
3 Enable Multi-Factor Authentication
According to TechNet Multi-factor authentication adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the following verification methods:
- Something you know (typically a password)
- Something you have (a trusted device that is not easily duplicated, like a phone)
- Something you are (biometrics)
The security of multi-factor authentication lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user’s password, it is useless without also having possession of the trusted device. Conversely, if the user happens to lose the device, the finder of that device won’t be able to use it unless he or she also knows the user’s password.
Therefore again on the same screen click Manage next to **Multi-Factor Authentication **at the top.
http://gokanx.files.wordpress.com/2014/01/110.png?w=1200&h=216
Select the user that you want to enable the Multi-Factor Authentication – in my case the Office 365 Global Administrator that I just created – and hit Enable.
http://gokanx.files.wordpress.com/2014/01/111.png?w=1200&h=602
A new Pop-up will appear and you only have to click ‘yes enable Multi-factor authentication’ for that user.
http://gokanx.files.wordpress.com/2014/01/112.png?w=1200&h=578
Now that you have enabled Multi-Factor Authentication we need to log out and log back in as the user you selected above.
On first login you will be prompted to configure the Multi-Factor authentication settings. Asking new password. Provide the old and new Password.
http://gokanx.files.wordpress.com/2014/01/113.png?w=1200&h=1062
Office 365 isn’t as usual redirecting you to the Office 365 Admin Center but requires a little setup for additional security verification. Hit; “Set it up now”
http://gokanx.files.wordpress.com/2014/01/114.png?w=600
Select your country, provide a phone number and ask to receive a text message. Be aware and careful, this isn’t free! Standard telephone and SMS chargers will apply to you.
http://gokanx.files.wordpress.com/2014/01/115.png?w=1200&h=566
A few seconds later you will receive on your smartphone a text message from Microsoft Online Services providing my verification code.
http://gokanx.files.wordpress.com/2014/01/117.png?w=548&h=820
Write the same code on the screen and hit verify.
http://gokanx.files.wordpress.com/2014/01/118.png?w=1200&h=336
When you try to connect with the user that got enabled Multi-Factor Authentication, Office 365 will ask you your password and a verification code from Microsoft.
http://gokanx.files.wordpress.com/2014/01/119.png?w=600And voila, your Mutli-Factor Authentication is set-up! You now have a Password who never expire and need a verification code to sign in!
4 Use a separate Administrator Account for PowerShell Access
What we now can do is create a new Administrator account, which doesn’t have Multi-Factor Authentication enabled and only use for accessing PowerShell.
This administrator account will be disabled unless we explicitly want to use it. For most people this will not be an issue as they only connect to Office 365 using PowerShell once every few weeks.
Create again a user as shown a few steps earlier. Provide a First Name, Last Name and a User Name.
http://gokanx.files.wordpress.com/2014/01/120.png?w=600
Select the role and provide an email address.
http://gokanx.files.wordpress.com/2014/01/121.png?w=1200&h=402
At the next screen select ANY of these options and hit Next. Your user is now created with any of the following options.
http://gokanx.files.wordpress.com/2014/01/122.png?w=1200&h=840
Connect with another user that has Global Administrator rights and edit the user Properties. You can now disable the user login. This means that the PowerShell Global Administrator can only use PowerShell when we want!
http://gokanx.files.wordpress.com/2014/01/123.png?w=1200&h=518
http://gokanx.files.wordpress.com/2014/01/124.png?w=1200&h=492
Other PowerShell commands
If you want to change this of another user please use the following PowerShell Command
Set-msoluser –UserPrincipalName gokanx@meloon.onmicrosoft.com -PasswordNeverExpires $True
Set a Predefined Password for office 365 user
Set-MsolUserPassword –UserPrincipalName gokanx@meloon.onmicrosoft.com –NewPassword P@ssw0rd -ForceChangePassword $false
Set a Temporary Password for a specific user
Set-MsolUserPassword –UserPrincipalName gokanx@meloon.onmicrosoft.com –NewPassword temPass01 -ForceChangePassword $true
Set a Temporary Password for all office 365 users
Get-MsolUser | Set-MsolUserPassword –NewPassword P@ssw0rd -ForceChangePassword $false
Set Office 365 Password Policy
Set-MsolPasswordPolicy -DomainName meloon.onmicrosoft.com -NotificationDays **720 **–ValidityPeriod 730
References
- http://technet.microsoft.com/en-us/library/dn194123.aspx
- http://community.office365.com/en-us/forums/156/t/199722.aspx
- http://www.o365info.com/2012/09/manage-office-365-users-password-using.html
- https://www.cogmotive.com/blog/office-365-tips/office-365-administrator-account-best-practices
Other Languages
This article is also available in the following languages: