Now that there are enough vulnerabilities and compromised systems, IT administrators are beginning to take MFA seriously. Here are a couple of blogs I wrote on the matter:
- Why Do I Need Multifactor Authentication in Office 365? Isn’t a Password Enough?
- Microsoft MFA Update
So now that your IT administrator has enabled MFA for you, and you have either the Microsoft authenticator app on your phone, or you get text messages, or you have some other means of providing a second form of authentication, what’s next to know? Frankly, you have more apps now that use this credential than you may realize.
Of course, you have Microsoft Outlook on your computer and perhaps your phone. But you also have Microsoft OneDrive for Business and Microsoft Teams. If your company has an intranet site, then you’ll use the account when signing into your company’s SharePoint site(s). If your company uses Dynamics 365, then you’ll use the same credentials there. Perhaps your company has integrated your Azure AD into third-party SaaS services like Workday or ServiceNow, so if you log into those websites, it also uses your same credentials.
What was used simply for logging into your computer and into email is used for a great many different websites and applications. Your Microsoft Authenticator app on your phone asks if you would like to approve a Microsoft account sign-in. Or you get a text message giving you a 6 digit code to use for sign in. How would you know if that was just one of the plethora of apps that you use that was trying to sign in legitimately or if it was a bad actor that happens to have your username and password and is trying to gain access to one of those many applications as you?
Viewing Your Microsoft Sign-in History
Enter Microsoft’s ability to manage your information and even look at your audit history of where you have signed into to see if it really was you or someone else.
My Account (myaccount.microsoft.com) is the one-stop shop for all things security related to your account. Depending on how your organization is set up, you can update your MFA settings here, change your password, see which devices you have signed into, download any Office applications you are licensed for, and review your sign-in attempts. The direct link to review sign-in attempts is at My Sign-Ins (mysignins.microsoft.com)
This site keeps the last week of sign-ins available to you, giving you information for each sign-in attempt, including:
- the time of the sign-in attempt,
- the location of where the attempt was made from (using geographic lookup based on the public IP address it originated from),
- the operating system of the machine it came from,
- the browser or application used in the attempt, and
- whether the sign-in was successful or not.
So my recommendation is to train your users to:
- Know that this page exists; and
- Use it.
There will come a time for every user to ask if an MFA prompt was a legitimate one. It’s imperative to train them to sign into the My Sign-Ins page as soon as possible after they receive that MFA prompt. That way, they can quickly see if the MFA sign-in request for their Microsoft account is legitimate. If they can readily identify that it was them, then they have just educated themselves.
However, if they don’t know for sure, then they should click the link provided on the site that says, “Look unfamiliar? Secure your account” to begin changing their password if possible and inform their IT department of what happened as soon as possible.
Have any questions about MFA for your organization’s IT environment? Please contact us at any time!