FYI this method is currently not working. It was until Twilio changed something within their Functions system. I’ll update this guide once they have resolved the issues.
For many MSP’s (Managed Service Providers) knowing how to handle MFA (Multi Factor Authentication) for multiple Office 365 tenants can be a real pain. There are a few way to solve this problem but recently we’ve found the easiest option for the whole team is to have the MFA codes from Office 365 go directly into a Teams channel. This means that even if a tech is working the night shift or out of the office they can easily log into a clients tenant securely with minimal hassle.
A few MSP’s i’ve spoken to recently use a mobile phone in the office to receive the SMS codes, or they use the authentication app. This is great but limits access to those in the office.
Some have setup a dedicated phone number and set tenants to initiate a voice call to authorise the login’s. Again this is a good method but limits access only to the office where they can pickup the calls. Sure you can divert the calls to mobiles after hours but its a real pain when you just need the access and are not receiving the calls.
One fellow MSP told me they send authentication codes into Slack for the team to share. Great idea I thought but who wants to use Slack when you have Teams!
Let’s get stuck in and configure Office 365 SMS authentication codes to be delivered into a Teams channel.
Basic Steps:
Step 1: Configure a Webhook in Teams.
Step 2: Setup and configure a Twilio account.
Step 3: Configure MFA for Office 365
Configure Teams
If you need to upgrade your Office 365 licenses to include teams upgrade them here: Office 365
First we need to activate External apps within Teams so that we can receive SMS messages via a webhook.
Log into the admin portal and click Settings -> Services & add-ins -> Microsoft Teams.
Scroll down to the option to enable External Apps then save the changes.
Log into Teams and create a new Channel called MFA. Click on the three dots next to the channel to access the Channel menu and click Connectors.
Search for ‘Incoming Webhook’ and click Configure.
Give the Webhook a suitable name.
Click Create.
Save the Webhook URL as we will need it later when configuring the SMS system. Click Done.
Configure Twilio
For MFA to work we need a mobile number we can configure on our tenants Global admin accounts. We also need that number on a system which can work with Webhooks. For this we can use a well known service called Twilio.
Office 365 actually includes an integration within Flow but at the time of writing inbound SMS Messaging to Teams is not supported out of the box.
Sign up for an account Here: https://www.twilio.com
Once you have signed in and added some credit to the account. Go to Numbers then click Get Started.
Choose your Country, tick SMS and click Search.
Choose from any of the available numbers and click Buy and complete the purchase.
From the top right use the search function to locate the Functions feature. Click the Plus symbol to add a new Function. We will use a Function to call our Office 365 Webhook we saved earlier and pass the SMS message from Office 365 into Teams.
Choose a Blank template and click Create.
Give your Function a suitable name such as SMStoTeams.
Copy and paste the following code into the code section as shown below.
Replace
Click Save.
const got = require('got');
exports.handler = function(context, event, callback) {
const requestBody = {
text: event.Body
};
got.post('', {
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(requestBody)
})
.catch(err => {
callback(err);
});
callback();
};
Next click on Configure from the menu.
Scroll down to Dependencies and click the Plus sign.
Enter got into the first box and 8.3.2 into the second and click Save.
Click on Numbers then Active Numbers and click your number to enter the settings page.
Scroll down to Messaging and select Function and your Function name next to ‘A message comes in’.
Click Save.
Configure MFA for Office 365
Now you need to configure MFA on each of your tenants Global admin accounts.
Log into each tenant as a Global admin and go to the admin center: https://admin.microsoft.com
Click on Settings -> Services & Add-ins -> Azure multi factor authentication then click Manage multi factor authentication.
Select your Global admin account and click Manage user settings.
Tick the boxes shown below and click save.
Next click Enable next to the Global admin account.
Click to enable multi-factor authentication.
Click Enforce.
Click to enforce MFA.
Now login as the Global admin account and you will be prompted to setup MFA for the account.
Select Authentication phone from the dropdown menu and enter the SMS number you purchased earlier from Twilio. Enter the number without the first zero.
Select to ‘Send me a code by text message’ and click Next.
If everything is configured correctly you should now receive a code into your Teams channel as a chat message. Enter it here and click Verify.
If for some reason the Teams messages are not being received you can read the verification code from the Twilio message logs found here:
https://www.twilio.com/console/sms/logs
If all is well MFA codes are being received into your MFA channel within Teams.
Click Finished to complete the setup of MFA for the Global admin account.
Next time you login as the global admin you will just have to enter the usual password then the MFA code found within Teams.
Congratulations you have secured your clients Office 365 account..
Great job! 🙂
Configure Alternative Login Methods
If something ever goes wrong with MFA or with Twilio you will need to configure alternative ways to login. This will involve setting up a backup emergency mobile number to receive authentication calls on and a password reset email address.
Login as the Global admin and click the settings cog from the top right.
Click ‘Update contact preferences’.
Click Security & Privacy and click ‘Update your phone numbers used for account security’.
Tick the box next to ‘Alternative authentication phone’ and enter a mobile number you can use in an emergency to access the account. Enter the number without the first zero.
Click Save.
If you ever need to use the alternative mobile phone number to login select ‘Sign in another way’ when logging into the Global admin account.
Select the backup mobile from the list to receive an authentication phone call.
Configure Password Recovery
Finally it’s a good idea to configure an alternative password recovery email. If you ever lose the password to the account or get locked out for some reason it’s likely you wont be able to receive password reset requests so set the alternative email address to your support helpdesk email address.
Click Save. (It sometimes looks grayed out but you can click on it!)
Conclusion
This is a great way to give all of your engineers access to MFA authentication codes. Super easy to use and accessible from anywhere. Just be sure you use MFA internally to protect access to Teams.
Not enough MSP’s are rolling out MFA to their clients and likely because of the pain configuring and accessing the login codes. Now you have seen how easy it is to setup start rolling it out to your clients now!
Just remember to keep your Twilio topped up with credit so you don’t get caught short a few months after setting it up 😉
