Difference between revisions of "Multi-factor authentication for Office 365"

From WSU Technology Knowledge Base
Jump to navigation Jump to search
 
(322 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
{{TOC_Float_Right}}
 
{{TOC_Float_Right}}
[[File:O365_mfa.png ‎|right]]
+
'''Multi-factor authentication for Microsoft 365''' is available to all {{WSU}} students and employees for securing your access to our primary campus messaging, file storage, collaboration, and productivity system. MFA is the best way to prevent someone who steals your StarID password from accessing your Microsoft 365 account.
==About this article==
 
This article includes the steps involved in configuring multi-factor authentication (MFA) for Microsoft Office 365. It is intended for all WSU students, faculty, and staff.
 
==What's Office 365 Multi-Factor Authentication (MFA)?==
 
In order to better protect you, your data, and our campus network from increasingly sophisticated phishing and other social engineering attacks, Winona State University will be implementing an Office 365 (O365) security feature this fall called Multi Factor Authentication (MFA). Once enabled, your password alone (which someone could have stolen from you) will not be enough to prove your true identity when you log into O365. In addition to your username and password, O365 will ask for more proof before it lets you in the door. Think of it as a special knock or a secret handshake. O365 will not request your special handshake every time you log in from your office or other "trusted" computers, only when it detects something has changed or your account is being used someplace new.
 
  
===MFA Options===
+
'''How it works:  '''Once multi-factor authentication (MFA) is enabled, when you go to sign into your Microsoft 365 account you will be prompted to verify your StarID credentials with a notification sent to your cell phone or office phone.  This is setup with an Authenticator app. 
  
You can choose from several MFA options and can use different options in different situations, depending on what's most convenient for you. The type of handshake or knock you choose can have an impact on how and where your account can be used, so we want you to be well-informed before you decide what is best for you.
+
==Enable MFA==
  
====Option 1: Smartphone Notification App====
+
Enabling MFA on your [[Microsoft Office 365|Microsoft 365]] account is a two-step process:
[[File:MFAFAQ.png|300px|right]]
+
#[[Enable multi-factor authentication for Office 365|Turn on MFA in your Microsoft 365 settings]] and specify your preferred verification method
This is generally the easiest option for people who have a smartphone and is presented as '''"Notify me through app"'''. When the system needs additional assurance to verify your password was really entered by you, a popup is seen on your phone that asks you "Do you approve this login Y/N" All you need to do is press Y or N to confirm you expected that login and the rest is automatic. This application is easy to configure, easy to monitor and consumes very little data and battery. The upside of this option is that it makes your O365 account accessible to you wherever you bring your smartphone. If you need to access your account on your home computer, press Y on your phone. If you need to access your account from a hotel lobby kiosk, press Y on your phone. The only downside to this option is that not everyone has a smartphone or is willing to use their smartphone for anything work-related. This is why there are other options.
+
#Browse to the [https://apps.powerapps.com/play/825f9f00-0767-4ce2-a691-f61eb7b5c07a?tenantId=5011c7c6-0ab4-46ab-9ef4-fae74a921a7f Multi-factor Authentication Request page] and select the '''Enable MFA button'''.
  
====Option 2: Cell Phone Text====
+
==Your initial verification options==
This is the next easiest way for people who either don't have a smartphone or don't want the overhead of the application to verify their identify when the need arises. The '''"text a code to my phone"''' option will simply text you a seemingly random 6-digit number that you will be prompted to enter after your password. When you enter the correct numbers it sent, the system is relatively certain it is you and not a hacker with a stolen password and will let you in. This option is again very easy to set up, requires very little configuration, and relies on only basic texting service. While it isn't quite as easy as the notification app, it does provide people with the ability to access their account while not at work or on a work laptop, which can be important to some people. While not required, leveraging a personal cellular device does provide you the most flexibility in accessing your work account when not at work.
+
MFA for Microsoft 365 uses your phone as a second step to verify your Microsoft 365 credentials. When you first enable MFA, your three verification options are:
  
====Option 3: Smartphone Code Generating App====
+
===Authentication phone===
Similar to the 6-digit codes sent via text to your cell phone, the code generator app is a way to verify your identity, but without the data requirements of Option 1 or even the cellular text requirement of Option 2. It will work in the basement of a fallout shelter. Though not as easy as pressing Y or N, it does provide users a good option if they are frequently in a location where cellular service is poor, but they have Internet access through a different provider.
+
Choose this option to receive a [https://en.wikipedia.org/wiki/One-time_password one-time password] (e.g., a random sequence of digits) via a robocall or text message sent to a phone number you provide. Although this does not need to be a smartphone, the text messaging option does require a compatible phone. Text messages will arrive via your phone's default messaging app (e.g., Apple iMessage).
  
====Option 4: Call My Personal Phone====
+
===Office phone===
This option is for anyone who wants to be able to access their O365 account from off-campus but doesn't have a smartphone or cell phone capable of receiving a text. This option works on any home phone or basic cell phone. When the system doesn't recognize you logging in, you will receive a phone call with an automated voice asking you to approve this logon attempt. If you weren't expecting this call you would obviously not approve it, but if you had just typed your password into your home computer you would press a number to finish the logon process. This isn't an ideal option for most people because it is much slower and less mobile that the others, but it can be very helpful in a pinch.
+
Choose this option to receive a confirmation request via a robocall to the {{WSU}} office phone assigned to you in the [[Update your campus directory information|campus directory]].
  
====Option 5: Call My Office Phone====  
+
===Mobile app===
Just like Option 4, O365 has your university office phone number pre-populated and can call you to confirm your logon. If you forgot your cell phone at home, or dropped it in the river over the weekend, this option is a fail-safe that will allow you to get logged in when you return on Monday morning. Again, this option can be cumbersome and will not facilitate access on a home computer or anywhere that isn't within arm's reach of your work desk phone, but it does ensure that you can get your work done on your work computer when you are at work.
+
Choose this option to use the [[Microsoft Authenticator]] app to approve access. You can decide whether to receive a notification from the app that you can tap to approve access or use one of the rolling, one-time passwords generated by the app. Use any device on which the Microsoft Authenticator app is installed, including your mobile phone, tablet, or smartwatch.
  
====Option 6: University Laptop or Tablet Code Generating App====
+
==Personalize your MFA settings==
Exactly like Option 3, it is possible to install a code generator application on a university laptop or tablet that will function as extra "proof" it is you when you log in. This option may look appealing; however we don't feel it will be overly helpful for most people. After all, if you have your university laptop at home, why check your mail on your home computer? It will already be working on your laptop! However, there may be a few specific use cases for this option. Perhaps someone doesn't have a cell phone or a home phone and still really needs to use a home computer? If you are interested in this option, contact the {{TSC}}.
+
Once you have completed the initial setup, you can [[Change multi-factor authentication settings for Office 365|edit your MFA settings]] at any time to:
  
==Setup Trust Account==
+
===Add an alternate phone===
If you see other choices you may have set something up previously. Office 365 personal or security and privacy settings contain some of this info so it may have been added previously.
+
Add a third phone as a verification backup, in case you cannot access your primary authentication phone, office phone, or any device with the Microsoft Authenticator app configured. If you enable this option, you choose to receive a confirmation request via a robocall to an alternate phone number (e.g., your home phone).
  
1. Go to [https://account.activedirectory.windowsazure.com/Proofup.aspx https://account.activedirectory.windowsazure.com/Proofup.aspx]
+
===Enable multiple backup verification methods===
 +
Enable any of the other verification methods as fail-safes. If your default method fails or is unavailable (e.g., your mobile phone's battery is dead), you can use a different method instead.
  
2. Sign into your account and setup MFA
+
===Change settings===
 +
Change phone numbers, choose a different verification default, or enable/disable the other verification methods.
  
===Our Recommendations===
+
===Pair or remove Microsoft Authenticator devices===
*'''Provided you have a smart phone''', we highly recommend using the Notify Me through app using the Microsoft Authenticator app as your #1 choice; followed by a backup text.  This notification process makes it super easy when your account is finally tripped.
+
Pair other devices running the Microsoft Authenticator app with your {{WSU}} Microsoft 365 account or unpair existing devices.
*A regular cell phone without smart capabilities use text
 
*If no cell phone your options are to use your office phone or use verification code from app on a university laptop.
 
  
===Setup Process===
+
==Our recommendation==
 +
{{WSU}} Information Technology Services strongly recommends using the Microsoft Authenticator app as your default verification method, while enabling the other three methods as fail-safes. [[Microsoft Authenticator|Install the app]] on any Apple or Android mobile phone or tablet to which you have continuous access and that is connected to the Internet via your cellular data plan or WiFi service.
  
[[File:VerificationScreenPreferred1.png|600px]]
+
==More wiki articles==
 +
*[[Microsoft Authenticator|How to install the Microsoft Authenticator app]]
 +
*[[Enable multi-factor authentication for Office 365|How to enable multi-factor authentication on your Microsoft 365 account]]
 +
*[[Change multi-factor authentication settings for Office 365|How to change your Microsoft 365 multi-factor authentication settings]]
 +
*[[Enable multi-factor authentication on personal accounts|How to enable multi-factor authentication on your personal accounts]]
 +
*[[Frequently asked questions about multi-factor authentication for Office 365|Frequently asked questions about Microsoft 365 multi-factor authentication]]
  
*Click on Setup
+
==External links==
 +
*[https://en.wikipedia.org/wiki/One-time_password What's a one time password?]
 +
*[https://enterprise.verizon.com/resources/reports/dbir/ Verizon 2019 Data Breach Investigations Report]
 +
*[https://www.forbes.com/sites/enriquedans/2018/12/04/no-doubt-about-it-your-password-has-been-stolen No doubt about it: Your password has been stolen]
 +
*[https://thenextweb.com/google/2019/05/23/google-data-shows-2-factor-authentication-blocks-100-of-automated-bot-hacks/ Google data shows 2-factor authentication blocks 100% of automated bot hacks - The Next Web]
 +
*[https://heimdalsecurity.com/blog/start-using-two-factor-authentication/ Why You Should Start Using Two-Factor Authentication Now - Heimdal Security]
 +
*[https://www.wired.com/story/two-factor-authentication-apps-authy-google-authenticator/ How to Secure Your Accounts with Better Two-Factor Authentication - Wired.com]
  
*On the next screen read through the instructions, install the app and click on Next
+
[[Category:Security]][[Category:Microsoft 365]][[Category:MFA]][[Category:Keep Working]]
[[File:ConfigureMobileApp1.png|600px]]
 
 
 
 
 
*A message will be sent to you phone
 
 
 
[[file:AdditionalSecurity5.png|600px]]
 
 
 
 
 
* When you get the verification message click on Approve
 
 
 
[[file:AndroidApproved1.jpg|200px]]
 
 
 
==Activation==
 
*Activation consists of scheduling your account to have Multifactor
 
*You will get a popup - Within an hour you will need to validate your account
 
*Type in your StarID password once and click approve (or enter text option)
 
 
 
==More Info==
 
 
 
[https://thenextweb.com/google/2019/05/23/google-data-shows-2-factor-authentication-blocks-100-of-automated-bot-hacks/ Google data shows 2-factor authentication blocks 100% of automated bot hacks - The Next Web]
 
 
 
[https://heimdalsecurity.com/blog/start-using-two-factor-authentication/ Why You Should Start Using Two-Factor Authentication Now - Heimdal Security]
 
 
 
[https://www.wired.com/story/two-factor-authentication-apps-authy-google-authenticator/ How to Secure Your Accounts with Better Two-Factor Authentication - Wired.com]
 
 
 
[[Category:Security]][[Category:Microsoft Office 365]][[Category:MFA]][[Category:2FA]][[Category:Multi-Factor Authentication]]
 

Latest revision as of 12:21, 2 June 2023

Multi-factor authentication for Microsoft 365 is available to all Winona State University students and employees for securing your access to our primary campus messaging, file storage, collaboration, and productivity system. MFA is the best way to prevent someone who steals your StarID password from accessing your Microsoft 365 account.

How it works: Once multi-factor authentication (MFA) is enabled, when you go to sign into your Microsoft 365 account you will be prompted to verify your StarID credentials with a notification sent to your cell phone or office phone. This is setup with an Authenticator app.

Enable MFA

Enabling MFA on your Microsoft 365 account is a two-step process:

  1. Turn on MFA in your Microsoft 365 settings and specify your preferred verification method
  2. Browse to the Multi-factor Authentication Request page and select the Enable MFA button.

Your initial verification options

MFA for Microsoft 365 uses your phone as a second step to verify your Microsoft 365 credentials. When you first enable MFA, your three verification options are:

Authentication phone

Choose this option to receive a one-time password (e.g., a random sequence of digits) via a robocall or text message sent to a phone number you provide. Although this does not need to be a smartphone, the text messaging option does require a compatible phone. Text messages will arrive via your phone's default messaging app (e.g., Apple iMessage).

Office phone

Choose this option to receive a confirmation request via a robocall to the Winona State University office phone assigned to you in the campus directory.

Mobile app

Choose this option to use the Microsoft Authenticator app to approve access. You can decide whether to receive a notification from the app that you can tap to approve access or use one of the rolling, one-time passwords generated by the app. Use any device on which the Microsoft Authenticator app is installed, including your mobile phone, tablet, or smartwatch.

Personalize your MFA settings

Once you have completed the initial setup, you can edit your MFA settings at any time to:

Add an alternate phone

Add a third phone as a verification backup, in case you cannot access your primary authentication phone, office phone, or any device with the Microsoft Authenticator app configured. If you enable this option, you choose to receive a confirmation request via a robocall to an alternate phone number (e.g., your home phone).

Enable multiple backup verification methods

Enable any of the other verification methods as fail-safes. If your default method fails or is unavailable (e.g., your mobile phone's battery is dead), you can use a different method instead.

Change settings

Change phone numbers, choose a different verification default, or enable/disable the other verification methods.

Pair or remove Microsoft Authenticator devices

Pair other devices running the Microsoft Authenticator app with your Winona State University Microsoft 365 account or unpair existing devices.

Our recommendation

Winona State University Information Technology Services strongly recommends using the Microsoft Authenticator app as your default verification method, while enabling the other three methods as fail-safes. Install the app on any Apple or Android mobile phone or tablet to which you have continuous access and that is connected to the Internet via your cellular data plan or WiFi service.

More wiki articles

External links

Retrieved from "https://learn.winona.edu/w/index.php?title=Multi-factor_authentication_for_Office_365&oldid=81556"