Difference between revisions of "Multi-factor authentication for Office 365"

Revision as of 19:18, 29 July 2019

About this article

This article includes the steps involved in configuring multi-factor authentication (MFA) for Microsoft Office 365. It is intended for all WSU students, faculty, and staff.

What's Office 365 Multi-Factor Authentication (MFA)?

In order to better protect you, your data, and our campus network from security threats, Winona State University will soon implement Multi Factor Authentication (MFA) for Office 365. Once enabled, you must also use the another verification method along with your user name and password. This adds another layer of security and significantly reduces security threats.

MFA Options

There are a variety of authentication options that can be chosen for Office 365 ranging from a verification phone call to a secret code generated by an app on your phone. Below are all of the supported options.

Option 1: Smartphone Notification App

This is the easiest option if you own a smartphone. After you download and configure the Microsoft Authenticator, your phone will prompt you before every login to approve the login request. After you select approve on your phone your will be logged in.

This method isn't for every one as users without smartphones will not be able to use this method, and if you lose your smartphone, you may temporarily lose access to your Office 365 until you go through the recovery process.

Option 2: Cell Phone Text

The next option is text verification. After you type in your credentials to your account, it will ask permission to send a text message to your phone. After you clock Send me the text, you will receive a 6 digit code via text on your cell phone. Next you must enter this code into the field now located on the login window of your computer and you are now successfully logged into your account.

This is a great method for those without smartphones. This method is always nice because as long as your cell phone number stays the same, this method will work. This means that no extra configuration is required when you upgrade or replace your cell phone.

Option 3: Smartphone Code Generating App

The Microsoft Authenicator, along with being used for option 1, can also be used for another form of authentication. This method will constantly be generating a 6 digit code every 30 seconds right on the app, that you will simply enter in office 365 after you enter your credentials.

This method does not require any data which means even if your are our of country with no cellular data or WiFi you can still access to your account.

Option 4: Call My Phone

This option allows you to verify via a phone call. Whenever you login, you will get an automated phone call asking you to approve the login. This method can be used with either a personal phone or an office phone, and just as in option 2, no extra configuration will be necessarily upon upgrading or replacing a phone so long as your phone number stays the same.

It is important to note that using an Office Phone as your only other verification method will disallow you from accessing your account when you do not have access to this phone.

Option 6: University Laptop or Tablet Code Generating App

It is possible to install a code generator application on a university laptop or tablet. This will function exactly like option 3 and the Microsoft Authenticator. If you would like to setup this option, please contact Technical Support Center (TechSupport@winona.edu, 507-457-5240, Somsen Hall 207) for more info.

Multi-Option

All of the authentication options are better in certain situations and not so good in others. For example if you are traveling abroad and do not have access to WiFi or Cellular, the first option will not work for you. This is why we recommend setting up multiple authentication options so that no matter what situation you find yourself in, you are still able to access your Office 365 account.

Setup Process

Our Recommendations

Provided you have a smart phone, we highly recommend using the Notify Me through app using the Microsoft Authenticator app as your #1 choice; followed by a backup text. This notification process makes it super easy when your account is finally tripped.
A regular cell phone without smart capabilities use text
If no cell phone your options are to use your office phone or use verification code from app on a university laptop.

1.) On any computer, navigate to https://account.activedirectory.windowsazure.com/Proofup.aspx Then, log in. Students: [StarID]@go.minnstate.edu Faculty/Staff: [StarID]@minnstate.edu

2.) Once signed in, you will be prompted to provide more security information to your account. Click ‘Next’.

3.) Now, click on the first dropdown and select which secondary device you would like to use for multi-factor authentication. Authentication phone: This will verify through an Automated phone call or text. Office Phone: This will verify through your office phone. Mobile App: Mobile App: This will use the Microsoft authenticator App to secure your account.

Please compete one or more of the options below to complete setup

Authentication Phone

From the first drop down select “Authentication Phone” and then type in the phone number you would like to use along with the country code of your phone number.

Next Choose whether you would like to verify through call or text. Click “Next” and you will receive a call or text with instructions on how to complete the process.

Office Phone

From the first drop down select “Office Phone” and then type in the phone number and extension along with the country code of your phone number.

Click “Next” and you will receive a call with instructions on how to complete the process.

Authentication App

Select your smartphone platform for Instructions on installing Microsoft Authenticator.

Android [Show/hide]

I. On your smartphone, navigate to the Google Play Store

II. In the search bar, type “Microsoft Authenticator”, Then click the first option shown above.

III. Click “Install”. Note: You may need to enter your Google password if prompted.

IV. Please continue the next step to configure Microsoft Authenticator.

iPhone [Show/hide]

I. On your iPhone, navigate to the App Store.

II. Tap the search tab in the bottom right.

III. Tap "Get" on the Microsoft Authentication tile as shown below.

IV. Now you must sign into the App Store with your fingerprint or Apple ID password. After the install is complete you can move on to the next steps.

Configuring the Authenticatior App

From the first drop down select “Authenticator App” and then click whether you want to verify through secret code, or app notification. Then click “Set Up”.

On the Microsoft Authenticator app, click “Add Accounts” , then “Work or School account”. The app will ask for permission to use your camera, click “Allow”. Then you simply need to scan the QR code on your computer screen and you are done!

Activation

Activation consists of scheduling your account to have Multifactor
You will get a popup - Within an hour you will need to validate your account
Type in your StarID password once and click approve (or enter text option)

More Info

Printable MFA Setup Instructions

Google data shows 2-factor authentication blocks 100% of automated bot hacks - The Next Web

Why You Should Start Using Two-Factor Authentication Now - Heimdal Security

How to Secure Your Accounts with Better Two-Factor Authentication - Wired.com

@@ Line 1: / Line 1: @@
-__notoc__
+[[File:O365_mfa.png ‎|right]]
-[[File:PadlockSecure.jpg|right|200px]]
+{{TOC_Float_Right}}
 ==About this article==
 This article includes the steps involved in configuring multi-factor authentication (MFA) for Microsoft Office 365. It is intended for all WSU students, faculty, and staff.
 ==What's Office 365 Multi-Factor Authentication (MFA)?==
-In order to better protect you, your data, and our campus network from increasingly sophisticated phishing and other social engineering attacks, Winona State University will be implementing an Office 365 (O365) security feature this fall called Multi Factor Authentication (MFA). Once enabled, your password alone (which someone could have stolen from you) will not be enough to prove your true identity when you log into O365. In addition to your username and password, O365 will ask for more proof before it lets you in the door. Think of it as a special knock or a secret handshake. O365 will not request your special handshake every time you log in from your office or other "trusted" computers, only when it detects something has changed or your account is being used someplace new.
+In order to better protect you, your data, and our campus network from security threats, Winona State University will soon implement  Multi Factor Authentication (MFA) for Office 365. Once enabled, you must also use the another verification method along with your user name and password. This adds another layer of security and significantly reduces security threats.
 ===MFA Options===
-You can choose from several MFA options and can use different options in different situations, depending on what's most convenient for you. The type of handshake or knock you choose can have an impact on how and where your account can be used, so we want you to be well-informed before you decide what is best for you.
+There are a variety of authentication options that can be chosen for Office 365 ranging from a verification phone call to a secret code generated by an app on your phone. Below are all of the supported options.
 ====Option 1: Smartphone Notification App====
-This is generally the easiest option for people who have a smartphone and is presented as '''"Notify me through app"'''. When the system needs additional assurance to verify your password was really entered by you, a popup is seen on your phone that asks you "Do you approve this login Y/N" All you need to do is press Y or N to confirm you expected that login and the rest is automatic. This application is easy to configure, easy to monitor and consumes very little data and battery. The upside of this option is that it makes your O365 account accessible to you wherever you bring your smartphone. If you need to access your account on your home computer, press Y on your phone. If you need to access your account from a hotel lobby kiosk, press Y on your phone. The only downside to this option is that not everyone has a smartphone or is willing to use their smartphone for anything work-related. This is why there are other options.
+This is the easiest option if you own a smartphone. After you download and configure the '''Microsoft Authenticator''', your phone will prompt you before every login to approve the login request. After you select '''approve''' on your phone your will be logged in.
+This method isn't for every one as users without smartphones will not be able to use this method, and if you lose your smartphone, you may temporarily lose access to your Office 365 until you go through the recovery process.
 ====Option 2: Cell Phone Text====
-This is the next easiest way for people who either don't have a smartphone or don't want the overhead of the application to verify their identify when the need arises. The '''"text a code to my phone"''' option will simply text you a seemingly random 6-digit number that you will be prompted to enter after your password. When you enter the correct numbers it sent, the system is relatively certain it is you and not a hacker with a stolen password and will let you in. This option is again very easy to set up, requires very little configuration, and relies on only basic texting service. While it isn't quite as easy as the notification app, it does provide people with the ability to access their account while not at work or on a work laptop, which can be important to some people. While not required, leveraging a personal cellular device does provide you the most flexibility in accessing your work account when not at work.
-==Setup Trust Account==
+The next option is text verification. After you type in your credentials to your account, it will ask permission to send a text message to your phone. After you clock '''Send me the text''', you will receive a 6 digit code via text on your cell phone. Next you must enter this code into the field now located on the login window of your computer and you are now successfully logged into your account.
-If you see other choices you may have set something up previously.  Office 365 personal or security and privacy settings contain some of this info so it may have been added previously.
+This is a great method for those without smartphones. This method is always nice because as long as your cell phone number stays the same, this method will work. This means that no extra configuration is required when you upgrade or replace your cell phone.
+====Option 3: Smartphone Code Generating App====
+The '''Microsoft Authenicator''', along with being used for option 1, can also be used for another form of authentication. This method will constantly be generating a 6 digit code every 30 seconds right on the app, that you will simply enter in office 365 after you enter your credentials.
+This method '''does not require any data''' which means even if your are our of country with no cellular data or WiFi you can still access to your account.
+====Option 4: Call My Phone====
+This option allows you to verify via a phone call. Whenever you login, you will get an automated phone call asking you to approve the login. This method can be used with either a personal phone or an office phone, and just as in option 2, no extra configuration will be necessarily upon upgrading or replacing a phone so long as your phone number stays the same.
+It is important to note that using an Office Phone as your only other verification method will disallow you from accessing your account when you do not have access to this phone.
+====Option 6: University Laptop or Tablet Code Generating App====
+It is possible to install a code generator application on a university laptop or tablet. This will function exactly like option 3 and the '''Microsoft Authenticator'''. If you would like to setup this option, please contact {{TSC}} for more info.
+====Multi-Option====
+All of the authentication options are better in certain situations and not so good in others. For example if you are traveling abroad and do not have access to WiFi or Cellular, the first option will not work for you. This is why we recommend setting up multiple authentication options so that no matter what situation you find yourself in, you are still able to access your Office 365 account.
-. Go to [https://account.activedirectory.windowsazure.com/Proofup.aspx https://account.activedirectory.windowsazure.com/Proofup.aspx]
-. Sign into your account and setup MFA
+==Setup Process==
-===Our Recommendations===
+'''Our Recommendations'''
 *'''Provided you have a smart phone''', we highly recommend using the Notify Me through app using the Microsoft Authenticator app as your #1 choice; followed by a backup text.  This notification process makes it super easy when your account is finally tripped.
 *A regular cell phone without smart capabilities use text
 *If no cell phone your options are to use your office phone or use verification code from app on a university laptop.
-===Setup Process===
-[[File:VerificationScreenPreferred1.png|600px]]
+.) On any '''computer''', navigate to https://account.activedirectory.windowsazure.com/Proofup.aspx
+Then, log in.
+Students: [StarID]@go.minnstate.edu
+Faculty/Staff: [StarID]@minnstate.edu
+[[file:MFA1.png|300px|float:left]]
+.) Once signed in, you will be prompted to provide more security information to your account. Click ‘Next’.
+[[file:MFA2.png|300px|float:left]]
+.) Now, click on the first dropdown and select which secondary device you would like to use for multi-factor authentication.
+Authentication phone: This will verify through an Automated phone call or text.
+Office Phone: This will verify through your office phone. Mobile App:
+Mobile App: This will use the Microsoft authenticator App to secure your account.
+[[file:MFA3.png|600px|float:left]]
+'''Please compete one or more of the options below to complete setup'''
+====Authentication Phone====
+From the first drop down select “Authentication Phone” and then type in the phone number you would like to use along with the country code of your phone number.
-*Click on Setup
+Next Choose whether you would like to verify through call or text. Click “Next” and you will receive a call or text with instructions on how to complete the process.
-*On the next screen read through the instructions, install the app and click on Next
+[[file:aPhone.png|500px|float:left]]
-[[File:ConfigureMobileApp1.png|600px]]
+====Office Phone====
-*A message will be sent to you phone
+From the first drop down select “Office Phone” and then type in the phone number and extension along with the country code of your phone number.
-[[file:AdditionalSecurity5.png|600px]]
+Click “Next” and you will receive a call with instructions on how to complete the process.
+[[file:oPhone.png|500px|float:left]]
-* When you get the verification message click on Approve
+====Authentication App====
-[[file:AndroidApproved1.jpg|200px]]
+Select your smartphone platform for Instructions on installing ''Microsoft Authenticator''.
+====== Android <span class="mw-customtoggle-0" style="font-size:small; display:inline-block; float:none;"><span class="mw-customtoggletext">[Show/hide]</span></span> ======
+<div  id="mw-customcollapsible-0" class="mw-collapsible mw-collapsed">
+I. On your smartphone, navigate to the Google Play Store
+[[file:a1.png|300px|float:left]]
+II. In the search bar, type “Microsoft Authenticator”, Then click the first option shown above.
+[[file:a2.png|300px|float:left]]
+III. Click “Install”. '''Note: You may need to enter your Google password if prompted.'''
+[[file:a3.png|300px|float:left]]
+IV. Please continue the next step to configure Microsoft Authenticator.
+</div>
+===== iPhone <span class="mw-customtoggle-1" style="font-size:small; display:inline-block; float:none;"><span class="mw-customtoggletext">[Show/hide]</span></span>  =====
+<div  id="mw-customcollapsible-1" class="mw-collapsible mw-collapsed">
+I. On your iPhone, navigate to the App Store.
+[[file:IP1.png|float:left|400px]]
+II. Tap the search tab in the bottom right.
+[[file:IP2.png|float:left|400px]]
+III. Tap "Get" on the Microsoft Authentication tile as shown below.
+[[file:IP3.png|float:left|400px]]
+IV. Now you must sign into the App Store with your fingerprint or Apple ID password. After the install is complete you can move on to the next steps.
+[[file:IP4.jpg|float:left|400px]]
+</div>
+=====Configuring the Authenticatior App=====
+From the first drop down select “Authenticator App” and then click whether you want to verify through secret code, or app notification. Then click “Set Up”.
+On the Microsoft Authenticator app, click “Add Accounts” , then “Work or School account”. The app will ask for permission to use your camera, click “Allow”. Then you simply need to scan the QR code on your computer screen and you are done!
+[[file:appPhone.png|float:left|500px]]
 ==Activation==
@@ Line 53: / Line 142: @@
 *Type in your StarID password once and click approve (or enter text option)
-[[Category:Microsoft Office 365]]
+==More Info==
+[https://learn.winona.edu/images/b/be/Office365MFA.pdf Printable MFA Setup Instructions]
+[https://thenextweb.com/google/2019/05/23/google-data-shows-2-factor-authentication-blocks-100-of-automated-bot-hacks/ Google data shows 2-factor authentication blocks 100% of automated bot hacks - The Next Web]
+[https://heimdalsecurity.com/blog/start-using-two-factor-authentication/ Why You Should Start Using Two-Factor Authentication Now - Heimdal Security]
+[https://www.wired.com/story/two-factor-authentication-apps-authy-google-authenticator/ How to Secure Your Accounts with Better Two-Factor Authentication - Wired.com]
+[[Category:Security]][[Category:Microsoft Office 365]][[Category:MFA]][[Category:2FA]][[Category:Multi-Factor Authentication]]