Our Design and Implementation of Multi-Factor Authentication Deployment for Microsoft 365 in Kyushu University

Yoshiaki Kasahara, Takao Shimayoshi

Research output: Chapter in Book/Report/Conference proceedingConference contribution


In Kyushu University, Information Infrastructure Initiative manages a Microsoft 365 tenant for our university members. We started offering Office 365 in 2016 and migrated our university-wide email service to Microsoft 365 Exchange Online in 2018. Due to the recent outbreak of COVID-19, off-campus uses of Microsoft 365 have increased, and concerns about account security arose. We discussed how to deploy Multi-Factor Authentication (MFA) to protect our users. Microsoft 365 comes with Azure Active Directory (Azure AD), and it includes built-in MFA functionality. With the basic Azure AD MFA, individual users can register MFA information anytime but have no control to enable or disable MFA. Tenant administrators need to enable MFA for each account. For a gradual deployment, we want to allow users to enroll in MFA and register information at their convenience. In addition to that, we want to prevent malicious attackers from registering their MFA information if an account should be already compromised. Such control was difficult with the basic Azure AD MFA. Since 2020 our tenant subscribes to Azure AD Premium P2 licenses, which provides Azure AD Conditional Access. Conditional Access enables fine controls of MFA and other user access behavior with security groups. We designed an MFA self-enrolling and configuration system, and implemented it with Microsoft Forms, Power Automate, Conditional Access, and in-house web applications. By design, this system prohibits MFA information registration until user's self-enrollment in MFA, and requests the user to register MFA information upon the next sign-in after the self-enrollment. This is supposed to reduce the possible unauthorized registration of MFA information. We extensively discussed implementation of various measures and preparation of documents to counter users' troubles and complaints. We started deploying MFA in April 2021, but we have not yet fully mandated MFA due to a push back from some executives expressing concern about the adverse effects of enforcing MFA too quickly.

Original languageEnglish
Title of host publicationSIGUCCS 2022 - Proceedings of the 2022 ACM SIGUCCS Annual Conference
PublisherAssociation for Computing Machinery
Number of pages6
ISBN (Electronic)9781450391931
Publication statusPublished - Mar 27 2022
Event49th ACM SIGUCCS User Services Annual Conference, SIGUCCS 2022 - Virtual, Online, United States
Duration: Mar 28 2022Apr 8 2022

Publication series

NameProceedings ACM SIGUCCS User Services Conference


Conference49th ACM SIGUCCS User Services Annual Conference, SIGUCCS 2022
Country/TerritoryUnited States
CityVirtual, Online

All Science Journal Classification (ASJC) codes

  • Computer Science Applications
  • Software
  • Information Systems
  • Education


Dive into the research topics of 'Our Design and Implementation of Multi-Factor Authentication Deployment for Microsoft 365 in Kyushu University'. Together they form a unique fingerprint.

Cite this