What is Multi-factor Authentication (MFA)?
Similar to what you may already experience using an Apple ID, Google, Facebook or Amazon, Multi-factor Authentication is a method of confirming a user's claimed identity by using a combination of two different factors:
- a first factor of something they know (like a password), and
- a second factor of something they have, like a verified device, when logging in from a new device or browser.
This second verification is typically done with a code sent via text message to a verified mobile device, which is sent only when the correct password for the account is given. If that code is not also entered, the login attempt fails. So, unless the attacker also has access to your mobile phone (for example), he/she cannot enter the code that was sent to you, and cannot log in.
Alternatively, users can use a mobile app for authentication, or receive a phone call.
How will this affect me?
When signing into services that use your Office 365 account from a new device, you will now have one more step to complete: in addition to entering your password, you’ll be prompted on your mobile device to verify your identity. This will occur once per new device or browser, and whenever you reset your domain password.
How do I get started?
Visit aka.ms/MFASetup to verify your contact methods (most importantly your mobile number).
With MFA, you have a few options you can configure:
- what's your preferred option?
This is where you choose which method you'd like Microsoft to try first, automatically. If you'd like to rely on a call to your phone, and not a text message (the default), here is where you tell it to do so.
- how would you like to respond?
This is where you tell Microsoft how they can reach you. You do not have to configure all of them, but you may wish to configure more than one.
- Authentication phone: a phone number of your choosing.
- Office phone: your office phone number according to our Active Directory information. This can include your extension. If this information is wrong, please submit a support request to have it corrected.
- Alternate authentication phone: another phone number of your choosing, as a fallback.
- Authenticator app or Token: if you'd like to use the Microsoft Authenticator app, or another authenticator app, to receive a push notification or supply code for authentication. This option takes a minute to set up, but results in the most secure means of authentication.
These options allow you to configure MFA to meet just about any use case need, from an an account for an individual office employee, to a shared receptionist/front desk account.
For example, if you're responsible for a receptionist position (a shared user account), and you may need to access the account while not in the office, you can configure both the Office phone option (and make it the default) as well as the Authenticator phone, using your mobile number. When accessing the account while off site, you can choose the Authenticator phone option, which will call/text your mobile number for authentication.
Set Up Your Apps
Once you've had MFA enabled on your account, your apps will prompt you for your new means of access. A number of them (including a few of Microsoft's own apps), however, will need a little extra attention because they don't support MFA. For applications like this, please see the section on App Passwords below.
Below are the most common applications and what to expect.
Microsoft Office Applications for Windows
Word, Excel, Outlook, etc. will activate seamlessly when MFA becomes active, however your Outlook application will prompt you for a password somewhere between 1 and 24 hours after MFA has been activated. You’ll need an App Password for this, of which one is created for you when you go through the initial MFA activation steps. If you did not retain it, no worries—a new one can be created at any time.
Microsoft Office Applications for Mac
Word, Excel, Outlook, etc. will update and operate seamlessly when MFA becomes active.
Apple iOS Devices
If you use Apple’s own Mail, Contacts and Calendars, you will need to remove your work account from the device, then re-add it (instructions). If you use Microsoft’s own apps on your iOS device(s), each will operate seamlessly when MFA becomes active.
We highly recommend using iOS 11 or later on your device(s), which best handles this change.
If you are using an Android device, we highly recommend using Microsoft’s own Outlook application for mail, contact and calendar management, as it fully supports MFA. Google, Motorola, Samsung or other manufacturer-supplied applications will more than likely require the use of an App Password to function properly. If you require assistance getting this set up after MFA is active on your account, please stop by your help desk and we can take care of this for you.
A Note About App Passwords
For applications that don't support MFA, you'll need to generate an "app password" to allow it to work around your newly-imposed security.
Think of an App password as a special key that, when used, tells Office 365 to "forget" that your account needs that second form of authentication, and just let the application (i.e. Outlook or Skype for Business) through the door, no questions asked.
You can create an App password at aka.ms/CreateAppPassword.
Once generated, you can use the password as you would your own when prompted by the application. It's important that you do not keep App Passwords (i.e. by writing down, saving in a sticky note, etc.), as they are, by definition, a "back door" into your account, and new ones can be generated at any time, when/if needed.
What if I can’t get in, or have questions?
Submit a Service Desk ticket at support.bedrock.com (and be sure to specify an email address that you have access to, and choose the issue category that mentions MFA). In the meantime, keep in mind that you can access your email at outlook.office.com in the event that your email application/mobile device isn’t able to send/receive email.
- Using the Microsoft Authenticator App (docs.microsoft.com/en-us/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to)
- Creating an App Password (aka.ms/CreateAppPassword)
- Verifying your contact information (aka.ms/MFASetup)