Last week Microsoft released some important new baseline Conditional Access policies—predefined rulesets that protect organizations against common digital attacks—that stand to significantly increase the security of any organization using Office 365 for Nonprofits. The functionality provided by these policies previously required additional licensing, at additional cost, but the growing risk of identity-based attacks has led Microsoft to make basic versions of these protections available for free to promote good IT security hygiene.
Tech Impact has been advocating for such a move for some time, and we’re thrilled that it has finally happened. We hope to move quickly to get this functionality turned on for every organization we work with.
What Does This Mean, and What Does This Mean for You?
These new policies equip Office 365 accounts with Multi-Factor Authentication, or MFA, which is a stronger form of account verification designed to protect users by making it much harder for stolen passwords to be used to break into their accounts. MFA requires users to supply two different types of authentication information to log in—generally some combination of something a person knows (e.g., a password), something a person has (e.g., a phone or laptop), and/or something a person is (e.g., in a physical location). MFA often takes the form of a prompt or code that is sent to a user’s phone after they enter their username and password into an MFA-protected site; the protected site will not let the login process complete until the user enters a code or pushes a button to confirm that they have access to their phone.
Here’s a quick look at the new policy changes:
The End User Protection policy applies to all active accounts in an organization’s Office 365 environment. It requires users to go through the MFA handshake process only when something about a specific login attempt looks suspicious. For example, a user may be prompted for an MFA verification if the IP address their login comes from has displayed strange behavior in the past or is based in an unusual geographic region. As a result, these changes are minimally disruptive to day-to-day work but go a long way toward stopping malicious phishing attacks.
The Require MFA for Admins policy applies mandatory MFA to all accounts that are endowed with any kind of administrative power (Global or otherwise), and requires those accounts to go through the MFA process each time they log in.
These new policies are turned off by default. We recommend that you turn on the End User Protection policy as soon as possible, and preferably the Require MFA for Admins policy as well. Note that turning on either policy will result in all of the users covered by that policy being immediately prompted to configure their MFA preferences. This is a one-time process that will require users to have the phone that they want to use for MFA authentication handy.
Tech Impact will be coordinating with every organization we work with to enable these protections in the coming days. Let us know if you have any questions or want to learn more about these or other security measures we can take to ensure your organization and your information is secure.