Microsoft has released new baseline Conditional Access policies — predefined rule sets that protect organizations against common digital attacks — that stand to significantly increase the security of any organization using Office 365 for Nonprofits.
The functionality provided by these polices previously required additional licensing, at additional cost, but the growing risk of identity-based attacks has led Microsoft to make basic versions of these protections available for free to promote good IT security hygiene.
These new policies equip Office 365 accounts with Multi-Factor Authentication (MFA) which is a stronger form of account verification designed to protect users by making it much harder for stolen passwords to be used to break into their accounts. MFA requires users to supply two types of authentication information to log in, generally some combination of something a person knows (e.g., a password), something a person has (e.g., a phone or laptop), and/or something a person is (e.g., in a physical location).
MFA often takes the form of a prompt or code that is sent to a user’s phone after they enter their username and password into an MFA-protected site. The protected site will not let the login process complete until the user enters a code or pushes a button to confirm that they have access to their phone.
- Here’s a quick look at the new policy changes:
- The End User Protection policy applies to all active accounts in an organization’s Office 365 environment. It requires users to go through the MFA handshake process only when something about a specific login attempt looks suspicious. For example, a user might be prompted for an MFA verification if the IP address their login comes from has displayed strange behavior in the past or is based in an unusual geographic region. As a result, these changes are minimally disruptive to day-to-day work but go a long way toward stopping malicious phishing attacks.
- The Require MFA for Admins policy applies mandatory MFA to all accounts that are endowed with any kind of administrative power (Global or otherwise), and requires those accounts to go through the MFA process each time they log in.
These new policies are turned off by default. It is recommended that you turn on the End User Protection policy as soon as possible, and preferably the Require MFA for Admins policy as well. Note that turning on either policy will result in all of the users covered by that policy being immediately prompted to configure their MFA preferences. This is a one-time process that will require users to have the phone that they want to use for MFA authentication handy.
You can also learn more about these policies by reading Microsoft’s newly-updated documentation.
Jordan McCarthy is with the nonprofit Tech Impact. His email is firstname.lastname@example.org.