How to enable Multi-Factor Authentication (MFA) using Microsoft Authenticator

Authentication is the process of verifying a person’s identity. It answers the question, “Who are you?” Multi-factor authentication uses both a password and a one-time code provided through an application on a mobile device.

Security breaches due to compromised credentials have unfortunately become a regular occurrence. With an increasing number of passwords to remember, people are prone to re-use the same passwords for many accounts or to use passwords with easy-to-use and easy-to-access information (date of birth, names of family members or pets, etc.). When other services (social networks, websites, etc.) have breaches, these in turn can lead to your credentials being compromised and used to access confidential or restricted business information. Multi-Factor Authentication (MFA) is an additional service in the authentication process. It validates the identity of the user accessing online systems and applications. MFA works on these principles: what the user knows (their password), what the user has (their mobile phone or a physical device that generates one-time passwords).

No, you do not need to have your work email on your phone. MFA only uses the device to send you a code via the mobile app. No cell numbers are stored anywhere, and we do not collect, store, or track any personal information through your mobile phone or device.

If you already use the Microsoft Authenticator app, you don’t need to reinstall it. You can proceed to registration. Employees who completed the registration during onboarding do not need to take any action.

The answer depends on how many apps and devices you use to access your Office 365 email and calendar. Generally, from your primary device (Outlook on work desktop or laptop) you can approve sign in for up to 90 days. If you sign in on another computer, or on the web, then you will be prompted for authorization again. All of these can be changes, however here are the defaults.

MFA prompts should be expected when you first log into a service or app that requires your login. However, how often you are asked to verify with MFA will vary depending on what service you are using and whether you are using a browser or an app.

Browsers

Browser based sessions will timeout, depending on which service you are accessing:

• Azure login based services, which include Outlook, Outlook Web Access (OWA), Teams, OneDrive, Office, SharePoint Online, Dynamics365, Teams Web Client, should persist for 7 days, which means you should only be asked to verify with MFA every 7 days

Notes:

• If you close your browser, you will be asked to verify again with MFA

• If you login in a browser for one service, you shouldn't need to verify with MFA for other services in the same browser (including on other tabs) until the session expires or the browser is closed

• If you use several different browsers, such as Chrome, Firefox or Edge, you will be prompted to authenticate after timeout for each browser session

• In addition to the above some services may require you to refresh your login more frequently and these rules are imposed by the individual services. For example Outlook Web Access (OWA) logs you out after 8 hours of inactivity.

Apps

Applications, unlike browsers, have a rolling window of up to 90 days (inactivity), this is renewed at each authentication until revoked. Any changes that cause you to login again, such as a software update, will trigger MFA verification.

Examples of such applications are:

• Microsoft Outlook (Windows, Android, Mac/iOS)

• Mac Mail

• Microsoft Office applications

• Microsoft Teams on Windows (NB: not web version)

• Microsoft OneDrive client for Windows

• Microsoft Flow app for Mobile Devices

Note: Microsoft Teams on Linux behaves like a browser application and, as such, session times act in line with the browser session of seven days.

This means that users by default, on a non-Azure AD joined device, users won’t be prompted daily (or even monthly) to use their office apps. This is by design. There is little value in prompting users every day to answer MFA on the same devices. This can lead to MFA fatigue, where users automatically approve MFA prompts without thinking about where the prompt came from. The real benefit of MFA is protecting against leaked credentials and/or brute force attacks. These connections will not be coming from the users own device so prompting devices at first connection, rather than constantly makes a lot more sense.

If you receive approval requests for access to your Office 365 and you are not actively signing in (entering your password) then deny the access! Your account password may be compromised, and someone else may be attempting to gain access to your data. In this case, contact us at 613-817-1212.

Recovering MFA on a new phone depends on what options you set up:

• Microsoft Authenticator app

The Microsoft Authenticator app has a backup and restore option. If you enabled backup on your previous phone, download the Authenticator again on your new phone and restore it. For instructions, see this Microsoft article.

You can enable the backup option on an old phone if you have not set this up yet and restore the Authenticator app on your new phone.

If you did not back up your previous phone's Authenticator app and no longer have access to it, then visit https://aka.ms/mfasetup. You may be prompted for the Authenticator app, select 'I can't use my Microsoft Authenticator app right now' from the sign in request screen. Select one of your backup phone numbers and complete authentication. Remove your old one from the list of options.

Without any backup phone numbers, you may need to contact us by phone for assistance.

• Phone number (voice call or text message)

If you no longer have access to the phone number you used for MFA authentication, you may update your phone number at https://aka.ms/mfasetup. You may be prompted for authentication, select 'Having trouble? Sign in another way' from the sign in request screen. Select one of your backup options (such as another phone number or the Authenticator app) and complete authentication.

Important: We recommend backing up your Authenticator app (see here) and adding additional phone numbers to make recovery easier when changing phones.