Our Design and Implementation of Multi-Factor Authentication Deployment for Microsoft 365 in Kyushu University
Pages 56 - 61
Abstract
In Kyushu University, Information Infrastructure Initiative manages a Microsoft 365 tenant for our university members. We started offering Office 365 in 2016 and migrated our university-wide email service to Microsoft 365 Exchange Online in 2018. Due to the recent outbreak of COVID-19, off-campus uses of Microsoft 365 have increased, and concerns about account security arose. We discussed how to deploy Multi-Factor Authentication (MFA) to protect our users. Microsoft 365 comes with Azure Active Directory (Azure AD), and it includes built-in MFA functionality. With the basic Azure AD MFA, individual users can register MFA information anytime but have no control to enable or disable MFA. Tenant administrators need to enable MFA for each account. For a gradual deployment, we want to allow users to enroll in MFA and register information at their convenience. In addition to that, we want to prevent malicious attackers from registering their MFA information if an account should be already compromised. Such control was difficult with the basic Azure AD MFA. Since 2020 our tenant subscribes to Azure AD Premium P2 licenses, which provides Azure AD Conditional Access. Conditional Access enables fine controls of MFA and other user access behavior with security groups. We designed an MFA self-enrolling and configuration system, and implemented it with Microsoft Forms, Power Automate, Conditional Access, and in-house web applications. By design, this system prohibits MFA information registration until user’s self-enrollment in MFA, and requests the user to register MFA information upon the next sign-in after the self-enrollment. This is supposed to reduce the possible unauthorized registration of MFA information. We extensively discussed implementation of various measures and preparation of documents to counter users’ troubles and complaints. We started deploying MFA in April 2021, but we have not yet fully mandated MFA due to a push back from some executives expressing concern about the adverse effects of enforcing MFA too quickly.
References
[1]
Facebook Inc.2021. React – A JavaScript library for building user interfaces. Retrieved 2021-11-18 from https://reactjs.org
[2]
Naomi Fujimura. 2013. Bring Your Own Computers Project in Kyushu University. In Proceedings of the 41st Annual ACM SIGUCCS Conference on User Services (Chicago, Illinois, USA) (SIGUCCS ’13). ACM, New York, NY, USA, 43–50. https://doi.org/10.1145/2504776.2504789
[3]
Eisuke Ito, Yoshiaki Kasahara, and Naomi Fujimura. 2013. Implementation and Operation of the Kyushu University Authentication System. In Proceedings of the 41st Annual ACM SIGUCCS Conference on User Services (Chicago, Illinois, USA) (SIGUCCS ’13). ACM, New York, NY, USA, 137–142. https://doi.org/10.1145/2504776.2504788
[4]
Yoshiaki Kasahara, Takao Shimayoshi, Eisuke Ito, and Naomi Fujimura. 2018. The Past, Current, and Future of Our Email Services in Kyushu University. In Proceedings of the 2018 ACM on SIGUCCS Annual Conference (Orlando, Florida, USA) (SIGUCCS ’18). ACM, New York, NY, USA, 103–106. https://doi.org/10.1145/3235715.3235737
[5]
Yoshiaki Kasahara, Takao Shimayoshi, Tadayuki Miyaguchi, and Naomi Fujimura. 2019. Migrate Legacy Email Services in Kyushu University to Exchange Online. In Proceedings of the 2019 ACM SIGUCCS Annual Conference (New Orleans, LA, USA) (SIGUCCS ’19). Association for Computing Machinery, New York, NY, USA, 127–131. https://doi.org/10.1145/3347709.3347817
[6]
Kyoto University. 2021. Multi-Factor Authentication User’s Guide. Retrieved 2021-09-26 from https://sites.google.com/kyoto-u.ac.jp/mfa/
[7]
Microsoft. 2021. Azure AD Conditional Access documentation. Retrieved 2021-09-21 from https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/
[8]
Microsoft. 2021. Enable per-user Azure AD Multi-Factor Authentication to secure sign-in events. Retrieved 2021-09-21 from https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
[9]
Microsoft. 2021. List credentialUserRegistrationDetails. Retrieved 2021-09-21 from https://docs.microsoft.com/en-us/graph/api/reportroot-list-credentialuserregistrationdetails
[10]
Microsoft. 2021. Multi-factor authentication rollout materials. Retrieved 2021-11-18 from https://aka.ms/mfatemplates
[11]
Microsoft. 2021. What are security defaults?Retrieved 2021-09-21 from https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults
[12]
Microsoft. 2021. What is Azure Active Directory?Retrieved 2021-09-21 from https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis
[13]
Microsoft. 2021. What is Identity Protection?Retrieved 2021-09-21 from https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
[14]
Katelin A Moul. 2019. Avoid Phishing Traps. In Proceedings of the 2019 ACM SIGUCCS Annual Conference (New Orleans, LA, USA) (SIGUCCS ’19). Association for Computing Machinery, New York, NY, USA, 199–208. https://doi.org/10.1145/3347709.3347774
[15]
Takao Shimayoshi, Yoshiaki Kasahara, and Naomi Fujimura. 2019. Renovation of the Office 365 Environment in Kyushu University: Integration of Account Management and Authentication. In Proceedings of the 2019 ACM SIGUCCS Annual Conference (New Orleans, LA, USA) (SIGUCCS ’19). Association for Computing Machinery, New York, NY, USA, 135–139. https://doi.org/10.1145/3347709.3347819
[16]
Sinatra. 2021. GitHub - sinatra/sinatra: Classy web-development dressed in a DSL (official / canonical repo). Retrieved 2021-11-18 from https://github.com/sinatra/sinatra/
Recommendations
Our Experience with Introducing Microsoft Office 365 in Kyushu University
SIGUCCS '17: Proceedings of the 2017 ACM SIGUCCS Annual ConferenceInformation Infrastructure Initiative of Kyushu University started serving Office 365 Education for all students and staff members at Kyushu University in November 2016. Since 2007, the university had signed Microsoft EES (Enrollment for Education ...
End of Basic Authentication and Migration to Modern Authentication for Exchange Online
SIGUCCS '23: Proceedings of the 2023 ACM SIGUCCS Annual ConferenceAt Kyushu University, Information Infrastructure Initiative provides an email service named "Primary Mail Service" for students and staff members with Microsoft Office 365 Exchange Online. On September 20th, 2019, Microsoft announced the end of support ...
Comments
Information & Contributors
Information
Published In
Copyright © 2022 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 28 March 2022
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
SIGUCCS '22
Sponsor:
Acceptance Rates
Overall Acceptance Rate 192 of 261 submissions, 74%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 136Total Downloads
- Downloads (Last 12 months)26
- Downloads (Last 6 weeks)0
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format