1-Step Setup: Multi-factor authentication (MFA) for O365

General Information

---

• Multi-Factor Authentication (MFA), also called 2-Factor Verification, is a way of verifying people logging into our systems are authorized to access those systems.
• Malicious and phishing email attacks are a constant threat for all organizations. Each individual who uses MFA helps to reduce the risk and vulnerability while also contributing to the overall security of our network environment. Through our Minnesota State Colleges and Universities O365 single tenant licensing, we have access to the Microsoft MFA solution.
• This solution helps to protect not only your account, but all of our data and applications connected to Office 365 within the shared Minnesota State tenant.

---

Question:

• What is Multi-Factor Authentication for O365?

---

Answer:

• Multi-Factor Authentication (MFA) is a form of authentication which employs a 2-step process, beyond just your password, to help verify you are actually the person who is logging in to your account. This second form of authentication verification provides another layer of added security protection.
• Once you have enrolled in O365 MFA, after entry of your MinnState credentials to log in to O365 applications, you will receive a notification via the MFA notification option you selected during set up (a text, a phone call, or mobile Microsoft Authenticator App verification) to verify it is you logging in to your account.

---

Question:

• Already setup but need to change your settings? Click HERE to update your settings

Question:

• How do I attain O365 MFA added protection?

Multi-Factor Authentication (MFA)

Setting up MFA

BEFORE YOU BEGIN

To successfully set up MFA, you should:

1. Review, understand the set up, and pick which MFA method(s) you will be using.

2. Know what methods each device can support you want to use for MFA.

• It is recommend to set up at least two different methods and, if at all possible, two different devices.  Remember you can Mix ‘N Match and have MFA configured on multiple devices!

(If two different devices is not possible, use at least two different methods on your primary device.)

3. Prepare to have all the devices available and connected to your cellular, WiFi, or other connection to successfully confirm enabling MFA for that device.

• IF using a an authenticator app on your mobile device, such as the MS Authenticator app, download and install the app from Apple’s App Store or Google’s Play Store before starting the MFA process.

• IF using a spouse or trusted relative’s mobile phone as a secondary device, you do NOT have to have it in your possession.  You can voice or video call with them and walk them through what needs to be configured on their device. 

• IF you selected receiving a voice call on a phone, you will need to have it in your possession to answer the call.  MFA does not work leaving a message on voicemail or any other kind of automated responses to the call.

4. Once you are logged in, start MFA activation by going to the MFA website. 

 

https://www.minnstate.edu/mfa  

 

First-Time Setup Wizard

New Accounts

If you have not logged into your account before, the MFA Setup Wizard will guide you in setting up MFA for your account. 

 

Existing Accounts

If already had an account and did not set up and enable MFA yourself before it was enabled for you, the MFA Setup Wizard will appear to complete MFA setup the next time you login to Office 365. Even if you are already logged in, the MFA Setup Wizard will appear at some point to have you complete MFA.

Notice

You need to complete the MFA Wizard before you can access your emails and other information in Office 365.  If you do not complete the Wizard successfully or cancel the Wizard, you will not be able to access your emails, files, or applications in Office 365 until MFA is successfully configured and verified.

Instructions for the MFA First-Time Setup Wizard can be found HERE or copy and paste the following link into your browser

https://mnscu.sharepoint.com/:w:/s/SO-SecurityTeam/EZauFXGg0EZPuCZmKUzY7K4BQcOa8tm01z1UxZbYjohb0g?e=kXHjAq

Changes to MFA

Need to add additional verification methods or make changes?

You can add additional way to use MFA, and you can use more than one way at the same time to ensure you are able to use MFA in case any issues are encountered on the primary method you picked.

Also, there may be times when you need to change information in MFA.Good examples are if you changed or mobile or office phone number, or need to set up the Authenticator app on a new mobile device you have.

To add or make changes to MFA, click HERE or open an internet browser and go to https://aka.ms/mfasetup. If you are not already signed in with your account, the page will prompt you to login.  Once you are logged in, it will open two (2) tabs or windows.  Click on the “Additional security verification” tab to make additions or changes.

 

 

 

Select your “Preferred method”

Selecting your preferred method lets MFA know which method to use first before using the other methods you have configured.Simply click on the drop-down list and click on your preferred method.

 

*As stated earlier, it is recommend to use the MS Authenticator app as your primary authentication method.

 

Note below are all of the MFA methods available and you can “Set up one or more of these options.”

To set up all of the methods you want to use, simple click on the check box and enter the necessary information. For an authenticator app or in rare instances where a physical security token is necessary (discuss with IT first), an additional dialogue will appear (below).

 

Method #1 – Microsoft Authenticator app

1. Have MS Authenticator downloaded and installed on the mobile device(s) you will be setting up Authenticator on.

2. On the “Additional Security Verification” page, select “Notify me through app” as your Preferred method.

3. Click the check box for “Authenticator app or Token,” then click on “Set up Authenticator app.”

You will now see the Authenticator App screen displayed:​​​​​​​

​​​​​

4. Open MS Authenticator on your device, and use the camera to take a picture of QC code displayed on your device!

            If the QC code does not work, you can manually enter the information below the QC code

5. MFA will now send a verification message with an “Approve or Deny” to your device.  Click on “Approve” to verify.

If you prefer to use the code generated by MS Authenticator as your primary method, select “Use verification code from app or token.”

You can register MS Authenticator on more than one device, repeating the steps above.

 

Method #2 – Text Message Authorization Code

1. On the “Additional Security Verification” page, select “Text code to my authentication phone” as your Preferred method.

2. Click the check box for “Authentication Phone,” then enter your device phone number.

3. MFA will now send a code to your device you will need to enter on the MFA.  Enter the code on the “Verifying phone” dialogue and click on “Verify.”

Method #3 – Enter generated code from app

1. Have the Microsoft Authenticator or third-party authenticator app downloaded and installed on the mobile device(s) you will be setting up MFA on.

2. On the “Additional Security Verification” page, select “Use verification code from app or token” as your preferred method.

3. Check the box on “Authenticator app or Token, then click on “Set up Authenticator app”

4. Next to the QC code, click on “Configure app without notifications,” which will update the QC code and other information. 

5. Once the QC information has changed, use the camera to take a picture of the QC code.

     

If the QC code does not work, you can manually enter the information below the QC code.

6. A dialogue will prompt you to “Enter the verification code displayed on your app.”  Enter the code generated from your device, then click on “Verify.”

Method #4 – Calling your Authentication phone

1. Have your primary device you will be receiving MFA voice call available.

2. On the MFA setup page, select “Call my Authentication phone” as your preferred option.

3. Check the “Authentication phone” check box and enter your device’s phone number.

4. An MFA dialogue will appear, prompting “Verifying phone:  Answer it to continue…”

5. The incoming MFA call will display “RESTRICTED” on your device.

6. Answer the call and listen to instructions, press the requested key or key combination to validate your phone.

 

Method #5 – Calling your Office Phone

1. Have your office phone you will be receiving MFA voice call available.

2. On the MFA setup page, select “Call my Office phone” as your preferred option.

3. Check the “Office phone” check box and enter your device’s phone number.  If you have a personal (not shared) extension, please enter it in the “Extension” field.

4. An MFA dialogue will appear, prompting “Verifying phone:  Answer it to continue…”

5. The incoming MFA call will display “RESTRICTED” on your device.

6. Answer the call and listen to instructions, press the requested key or key combination to validate your phone.

NOTE: The “Office phone” information will NOT be validated if you do not use it as your preferred option.  However, you can use it as an alternate method. 

To ensure everything is working properly, it is recommended you validate using your Office phone setup using the “Sign in a different way” instructions, which is part of the “Using MFA” documentation, found HERE.

 

Additional Methods

There are additional ways to have MFA work for you if none of the methods are available.Please contact the college IT HelpDesk 763-433-1510 to discuss your situation.

 

Alternate Authentication Phone

It is strongly recommended to set up a second device as an alternate authentication phone to ensure you will still be able to use MFA in the event

• Your primary devices app or the device itself stops working.
• Your device gets damaged, lost, or stolen.   
• You simply forgot your device at home.

1. On the MFA setup page, check the “Alternative authentication phone” check box, select the “Country Code” then enter the phone number.

           

2. Check the “Office phone” check box and enter your device’s phone number.  If you have a personal (not shared) extension, please enter it in the “Extension” field.

 

NOTE: The Alternate authentication phone information will NOT be validated when you save your MFA settings. 

 

1. Verify you have selected the correct “Country Code” and phone number you wish to use.

2. To ensure everything is working properly, it is recommended you work with the owner (spouse or trusted family member) of the Alternate authentication phone to verify it is set up correctly, using the “Sign in a different way” instructions, which is part of the “Using MFA” documentation, found HERE.

 

Save!

1. Once you have everything set up, click on “Save”

2. You will be brought to your Microsoft Office 365 account page

3. Close both the Microsoft Account and MFA pages.

Always be on your guard!

Even with MFA, criminals and bad actors will try ways to scam you!

1. NO ONE, including the college will ever call you to ask to press “Approve” on a notification or to give them your Authenticator app or texted code.  NEVER GIVE OUT THIS INFORMATION. 

2. THINK BEFORE YOU AUTOMATICALLY APPROVE. If you were not logging into your account yourself, and were not expecting it…

1. DO NOT ANSWER an “Approval” request coming from your Authenticator app.

2. DO NOT ENTER THE REQUEST KEY(S) if you receive a voice call on your mobile device, office, or alternate phone.  Ensure your spouse or trusted family doesn’t automatically enter the key(s) without checking with you first.

 

---

 

Summary:

This article is used to inform users of Multi-Factor Authentication (MFA) for Office 365.