Microsoft has added Multi-Factor Authentication for Office 365 to Office
365 Business plans, Enterprise plans, Academic plans, Non-profit plans, and
standalone Office 365 plans, including Exchange Online and SharePoint Online.
This allows organizations with these subscriptions to enable multi-factor
authentication for their Office 365 users without requiring any additional
purchase or subscription.
Multi-factor authentication increases the security of user logins for
cloud services above and beyond just a password. With Multi-Factor
Authentication for Office 365, users are required to acknowledge a phone call,
text message, or an app notification on their smartphone after correctly
entering their password. Only after this second authentication factor has been
satisfied can a user sign in.
Multi-factor authentication is available for Office 365 administrative
roles and also to any Office 365 user and users who are authenticated from a
federated on-premises directory.
Microsoft has also added App Passwords for users so they can
authenticate from Office desktop applications.
Multi-factor authentication enhances security for Office 365. (Office
365 offers many robust built-in security features for all customers and also
optional controls that enable subscribers to customize their security
preferences. More information about security in Office 365 is available in the
Office 365 Trust Center).
Multi-Factor Authentication
for Office 365
Office 365 administrators enroll users for multi-factor authentication
through the Office 365 admin center.

On the users and groups page in the Office 365 admin center, you can
enroll users for multi-factor authentication by clicking the Set Multi-factor
authentication requirements: Set up link.

The multi-factor authentication page lists the users and allows you to
enroll a user for multi-factor authentication.
After a user is enabled for multi-factor authentication, they will be
required to configure their second factor of authentication at their next
login. Each subsequent login is enforced and will require use of the password
and phone acknowledgement.

After being enrolled for multi-factor authentication, the next time a
user signs in, they see a message asking them to set up their second
authentication factor.
Any of the following may be used for the second factor of
authentication.
- Call
my mobile phone. The user receives a phone call that asks
them to press the pound key. Once the pound key is pressed, the user is
logged in.
- Text
code to my mobile phone. The user receives a text message
containing a six-digit code that they must enter into the portal.
- Call
my office phone. This is the same as Call my mobile
phone, but it enables the user to select a different phone if they do not
have their mobile phone with them.
- Notify
me through app. The user configured a smartphone app
and they receive a notification in the app that they must confirm the login.
Smartphone apps are available for Windows Phone, iPhone, and Android
devices.
- Show
one-time code in app. The same smartphone app is used.
Instead of receiving a notification, the user starts the app and enters
the six-digit code from the app into the portal.

Once a user is signed in they can change their second factor of
authentication.
The settings menu is the little cog at the top right of the portal
screen. In the settings menu clicking the additional security verification
link.
App Passwords in
Multi-Factor Authentication for Office 365
Users who are enrolled for multi-factor authentication are required to
configure App Passwords in order to use Office desktop applications, including
Outlook, Lync, Word, Excel, PowerPoint, and OneDrive for Business.
Once an information worker has logged in with multi-factor
authentication, they will be able to create one or more App Passwords for use
in Office client applications. An App Password is a 16-character randomly
generated password that can be used with an Office client application as a way
of increasing security in lieu of the second authentication factor.
App Passwords are not available for use with PowerShell access to Office
365, and they can be turned off entirely for the Office 365 tenant for
customers who have special security policies.

After
you’ve created an App Password for an Office desktop application, such as
Outlook, it is indicated in a list in your account.
- gleaned from Office blogs