We help IT Professionals succeed at work.

Office 365 E3 dual authentication advice

dougdog asked
Im looking to turn on multi factor authentication for 365 users
i'm after some advice
is the norm to switch this on for external site access only?
is the app the best method to use
how can i configure this for external access only etc
does this affect thick client apps like outlook etc?
best practice and best method to deploy
Watch Question

Most Valuable Expert 2015
Distinguished Expert 2019
The "norm" is defined by your needs. If you want to turn it on for specific situations only, such as external access, you either have to use Conditional access (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access) or control it via claims rules if you have AD FS in use. Including control based on the application. Review the article above and references therein for additional details.

The app is only available for smartphones, and requires internet connectivity, so it might not be the best fit for all situations. It's easy to use however, so most users prefer it. You can leave it to them to decide.