What is Multi-factor Authentication (MFA)?
Similar to what you may already experience using an Apple ID, Google, Facebook or Amazon, Multi-factor Authentication is a method of confirming a user's claimed identity by using a combination of two different factors:
- a first factor of something they know (like a password), and
- a second factor of something they have, like a verified device, when logging in from a new device or browser.
This second verification is typically done with a code sent via text message to a verified mobile device, which is sent only when the correct password for the account is given. If that code is not also entered, the login attempt fails. So, unless the attacker also has access to your mobile phone (for example), he/she cannot enter the code that was sent to you, and cannot log in.
Alternatively, users can use a mobile app for authentication, or receive a phone call.
How will this affect me?
When signing into services that use your Office 365 account from a new device, you will now have one more step to complete: in addition to entering your password, you’ll be prompted on your mobile device to verify your identity. This will occur once per new device or browser, and whenever you reset your domain password.
How do I get started?
Visit aka.ms/MFASetup to verify your contact methods (most importantly your mobile number).
We’ll be sending out a notice to you before we enable your account. Then, simply wait for your applications or web apps to prompt you to sign in.
Set Up Your Apps
Once you've had MFA enabled on your account, your apps will prompt you for your new means of access. A number of them (including a few of Microsoft's own apps), however, will need a little extra attention because they don't support MFA. For applications like this, please see the section on App Passwords below.
Below are the most common applications and what to expect.
Microsoft Office Applications for Windows
Word, Excel, Outlook, etc. will activate seamlessly when MFA becomes active, however your Outlook application will prompt you for a password somewhere between 1 and 24 hours after MFA has been activated. You’ll need an App Password for this, of which one is created for you when you go through the initial MFA activation steps. If you did not retain it, no worries—a new one can be created at any time.
Microsoft Office Applications for Mac
Word, Excel, Outlook, etc. will update and operate seamlessly when MFA becomes active.
Apple iOS Devices
If you use Apple’s own Mail, Contacts and Calendars, you will need to remove your work account from the device, then re-add it (instructions). If you use Microsoft’s own apps on your iOS device(s), each will operate seamlessly when MFA becomes active.
We highly recommend using iOS 11 on your device(s), which best handles this change.
If you are using an Android device, we highly recommend using Microsoft’s own Outlook application for mail, contact and calendar management, as it fully supports MFA. Google, Motorola, Samsung or other manufacturer-supplied applications will more than likely require the use of an App Password to function properly. If you require assistance getting this set up after MFA is active on your account, please stop by your help desk and we can take care of this for you.
A Note About App Passwords
For applications that don't support MFA, you'll need to generate an "app password" to allow it to work around your newly-imposed security.
Think of an App password as a special key that, when used, tells Office 365 to "forget" that your account needs that second form of authentication, and just let the application (i.e. Outlook or Skype for Business) through the door, no questions asked.
You can create an App password at aka.ms/CreateAppPassword.
Once generated, you can use the password as you would your own when prompted by the application. It's important that you do not keep App Passwords (i.e. by writing down, saving in a sticky note, etc.), as they are, by definition, a "back door" into your account, and new ones can be generated at any time, when/if needed.
What if I can’t get in, or have questions?
Submit a Service Desk ticket at support.bedrock.com (and be sure to specify an email address that you have access to, and choose the issue category that mentions MFA). In the meantime, keep in mind that you can access your email at outlook.office.com in the event that your email application/mobile device isn’t able to send/receive email.
- Using the Microsoft Authenticator App (docs.microsoft.com/en-us/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to)
- Creating an App Password (aka.ms/CreateAppPassword)
- Verifying your contact information (aka.ms/MFASetup)