Setting up Multi-Factor Authentication on Office 365

There are two methods we suggest for securing your account under MFA:

Authentication Phone – Where you have to answer a phone call or pick up a text message to authenticate
Mobile app – Where an app on your smartphone allows you to easily approve authentications

We have enabled an option so that, once you have authenticated via one of the above options, you can select a “Don’t ask again for 60 days” checkbox and can just log in with the password for the next two months as you do now.  However, please be aware that you will be asked to authenticate using the secondary device again when that time expires.  Also note that this is a setting that applies to the particular browser and device you are logging in to.  If you tick this box for Chrome and then try and log in via Internet Explorer, you will be asked to MFA again.

Please find full guidance on implementing this below.

 


 

Sections in this page:

 

 


 

The MFA Wizard

The first indication you will receive that we have turned MFA on for your account is when you see this window after logging in to Office 365.

You will now be asked how you would like to be contacted when you authenticate.  See the 'How should we contact you?' section below for more information. 

If you choose to use the mobile app you will get a 'Set up' button with further instructions to follow.  After completing this click Next.

Also for those choosing mobile app, it will ask you to setup a telephone number as a backup option.

Now that the option is set it will ask you to authenticate using this method.  This is also where you can select 'Don't ask again for 60 days'.

You will now see a 'Keep using your existing applications' step.  If you use the Outlook client please copy the password and store it safely for the moment, in a word document for instance, and click 'Done'.  If you only ever log into www.office.com to access your emails you can ignore this and click 'Done' straight away.

Important note: Keep any notes of app passwords safe and delete them after they have been used to setup Outlook.  You can recreate an app password easily and keeping an unsecure record of app password can create a security risk in itself.

After confirming the above, you may now see this screen.  This is simply asking if you want your workstation to try and log in with this account every time you access www.office.com.  Make your selection.

You should now be signed into Office 365 and have setup MFA.  Your account is significantly more secure for doing so.

If you use the Outloook client you will now need to authenticate to this for the first time, as per the Outlook Client section below.

 

 


 

How should we contact you?

Further details about the contact methods used.

 

Contact method

Description

Our Comments & Actions

Authentication Phone

- Phone call places an automated voice call to the phone number you provide. Answer the call and press # in the phone keypad to authenticate.

- Text message sends a text message containing a verification code. Following the prompt in the text, either reply to the text message or enter the verification code provided into the sign-in interface.

Authentication Phone does not require the installation of the Microsoft Authenticator app on a smart phone, however it does require a mobile signal to receive the communications.

Office Phone Call

Places an automated voice call to the phone number you provide. Answer the call and press # in the phone keypad to authenticate.

This option utilises an ‘Office phone’ number entered centrally and is not editable on this screen.  The previous ‘Authentication phone’ does this job adequately already so we do not see this option as viable at the moment.

Mobile App 

*Recommended*

*Best for account sharing*

*Best for no mobile signal*

 

 

- Receive notifications for verification. This option pushes a notification to the authenticator app on your smartphone or tablet. View the notification and, if it is legitimate, select Authenticate in the app. Your work or school may require that you enter a PIN before you authenticate.

- Use verification code. In this mode, the authenticator app generates a verification code that updates every 30 seconds. Enter the most current verification code in the sign-in interface.

The Microsoft Authenticator app is available for Android, iOS, and Windows Phone.

Using the mobile app is a less intrusive option than receiving a telephone call or text message from an automated system.

'Receive notifications for verification' is the easiest option to use, but requires that your phone be connected to the internet.

Use verification code requires no connection.

Also, you can configure the mobile app on two phones for the same account.   Click here for further guidance

Desktop app

 

There is no official option for this, you simply choose 'Mobile app' and use a desktop app such as WinAuth to provide the verification codes.  As this is not a Microsoft solution there is only limited support we can give for it, but there are more details in FAQ2.

 


 

Email clients (Outlook)

 


Outlook 2016

 

Outlook 2016 is capable of connecting to the Office 365 natively using 'Modern Authentication'.  It will ask you for your secondary authentication details in the same way that Outlook Web Access does.

Previous versions of Outlook will require the app password you kept a copy of from the 'Keep using your existing applications' part of the MFA wizard.

Within an hour of completing the MFA wizard, you should see that Outlook will appear disconnected or you are being prompted for the password again.

 


You will be asked first for your password again and then for your MFA authentication.  When you have entered this Outlook will reconnect to your account.

 

        


 

Outlook 2013

Outlook 2013 can also connect using 'Modern Authentication' to Office 365 as Outlook 2016 does above, but you would need a specific patch applied.  Modern Authentication is ideal as it is more secure, but if the patch is not applied we advise carrying on and connecting to Outlook as it is with an App Password.  It is more important to implement MFA as soon as possible and consider looking at the patch later when your ICT technician is next onsite.
 

After completing the MFA wizard close Outlook and reopen it.  You should find Outlook will not be able to connect until you provide credentials again.  If you do not get a prompt to re-enter credentials, click the Send/Receive tab and see if there is a "Type Exchange Password & Connect" button.
 

 

You will see one of the login prompts below. 

If you have the patch applied you are likely to be see first prompt below, and can just follow the onscreen prompts. 

If you do not have the patch applied you are likely to be see second prompt below.  You will need to login with your full email address and the App Password you saved during the MFA setup wizard.
 

Patch applied: Patch not applied:


If the App Password appears to be rejected we recommend two actions.

a) Try a new one by following the Changing your MFA choices and Setting up new app passwords section.

b) If the above doesn't work, try following FAQ20. I am using Outlook 2010 or my app password is not being accepted by Outlook 2013

 


 

 

 

Outlook 2010

Note: Please ensure you have applied any service packs and updates to Office 2010 before continuing.  Outlook 2010 will definitely not work unless SP2 is applied.


As this version of the outlook client is unable to use Modern Authentication you will have to setup a way for this application to securely side step the MFA login process.  This is done through app passwords.

You will have saved an app password when you ran through the MFA wizard above.  If you require another app password see the Changing your MFA choices and Setting up new app passwords section.

After running through the MFA Setup Wizard, close Outlook and reopen it.  You should find it prompts for your password again in which case you will need to login with your full email address and the App Password you saved during the MFA setup wizard.

If you do not see a login prompt and Outlook just shows as "Disconnected" try following FAQ20. I am using Outlook 2010 or my app password is not being accepted by Outlook 2013


If you do see a login prompt but you app password is not being accepted, please try creating a new one by following the Changing your MFA choices and Setting up new app passwords section.

 


 

Any other application that cannot use 'Modern Authentication'

 

Email accounts have been logged into for years with simply a username and password, so it is going to take a while for all email clients to be updated to use modern authentication methods.  Any application that uses just a username and password will require its own app password.  When this has been created simply use your email address and this password to authenticate.

 

 

 


 

Changing your MFA choices and Setting up new app passwords

Now that you have gone through the MFA Wizard if you want to change any of the settings you can do so by logging into www.office.com and following the instructions below.

You will need a separate app password for each email client you use.

 

  1. Sign in to Office 365 using your password and verification code.
  2. Choose Settings  > Office 365
  3. Choose Security & Privacy > Additional security verification
  4. Here you will see options for...

    a) Update my phone numbers used for account security.
    b) Create and manage app passwords

Please bear in mind that you can only change these settings yourself if you can access the account, otherwise you will need to contact the Service Desk. 


 

Don’t ask again for 60 days


Next time you log into the Office 365 portal make sure you click the “Don’t ask again for 60 days” checkbox, as per screenshot on the right.  This will give you the maximum time before you will have to use the MFA options again.

 


 

 

Further help

Thank you for reading this guide and the FAQ's here.  We have tried to be as thorough as possible so you can find answers to your issues without having to try to get through to us.  If however you have still been unable to solve your issue please get in touch with the Service desk.

Please note however that should you require hands on assistance with setting up the Outlook client or other device we may have to refer you to your local ICT technician.

 

 


 

Further references

The full Microsoft page titled Set up my account for two-step verification can be found here, if required:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/end-user/current/multi-factor-authentication-end-user-first-time

 

Admin help

https://ict.norfolk.gov.uk/page.aspx?ID=1395

 

Close