Multi-factor authentication for end users was added to Office 365. The update applies to Office 365 for Midsize Business, Enterprise plans, Academic plans, Nonprofit plans, and standalone Office 365 plans (Exchange Online and SharePoint Online).
Multi-factor authentication in Office 365 has been around since June 2013, but it was limited to Office 365 administrative roles until now. Microsoft has also expanded upon the initial multi-factor authentication capabilities, specifically:
- Added App Passwords for users so they can authenticate from Office desktop applications as these are not yet updated to enable multi-factor authentication
- Enabling users who are authenticated from a federated on-premises directory to be enabled for multi-factor authentication
This is a step in the right direction, however the supported methods are solely phone-based, including:
- Call my mobile phone. The user receives a phone call that asks them to press the pound key. Once the pound key is pressed, the user is logged in.
- Text code to my mobile phone. The user receives a text message containing a six-digit code that they must enter into the portal.
- Call my office phone. This is the same as Call my mobile phone, but it enables the user to select a different phone if they do not have their mobile phone with them.
- Notify me through app. The user configured a smartphone app and they receive a notification in the app that they must confirm the login. Smartphone apps are available for Windows Phone, iPhone, and Android devices.
- Show one-time code in app. The same smartphone app is used. Instead of receiving a notification, the user starts the app and enters the six-digit code from the app into the portal.
In the blog post, Microsoft also speaks to their roadmap for multi-factor authentication in Office desktop applications:
Soon Office 365 customers will be able to use multi-factor authentication directly from Office 2013 client applications. We’re planning to add native multi-factor authentication for applications such as Outlook, Lync, Word, Excel, PowerPoint, PowerShell, and OneDrive for Business, with a release date planned for later in 2014.