Office 365 Multi-Factor Authentication

Why?

The IT Division will be implementing multi-factor authentication (MFA) with Office 365 (O365).  O365 has services other than Outlook Email and Calendar.  A few examples are Office (Word, Excel, and PowerPoint), OneDrive, and SharePoint.  These services open up the potential for storing sensitive data in the Cloud.  The multi-factor authentication (MFA) method grants access when a computer user successfully presents two or more pieces of evidence (or factors) to authenticate.  An example would be the PIV-C Smartcards (gemalto USB thumb drive) we currently use to log in to our computers.

DOE is requiring that our Office 365 (O365) instance be configured to require multi-factor authentication (MFA) for login.  By using MFA with O365, your data is more protected and you are better protected from scammers using your O365 account to send spam if they gain access to your CUE account.

What to use?

There are several options for using MFA with O365.  Please review the options below to consider which would work best for you.  If you have questions or concerns regarding an option, contact the IT Division Help Desk.  We are happy to walk you through this process.

Microsoft Authenticator App

The easiest way to use MFA with O365 is to install the Microsoft Authenticator app on your Smartphone (Android and/or iOS).  Once you have the app installed, you can configure MFA on O365 to:

  1. Send a push a notification for access to your Smartphone to ‘Approve’ or ‘Deny’ the request
  2. Enter a 6 digit PIN generated from the app

Text Messaging or Phone Call

Other options would be for Microsoft to send you a text message or call you:

  1. Text a 6 digit PIN to your Smartphone or texting device
  2. Configure app to call a set phone number to provide a 6-digit PIN

What about Thunderbird and other IMAP clients?

Once you have configured MFA on O365, you must make changes to your O365 account to create what is known as an application password.  You will use the O365 ‘Create and manage app passwords' utility to create randomly generated passwords for any mail clients that do not support MFA on O365; like Thunderbird or Apple Mail.

NOTE:  Since application passwords are randomly generated, and they are not your CUE password, we recommend saving them in the mail client.  This will allow you to log in to your mail client without having to generate a new application password each time.

To begin:

  1. Log in to https://portal.office.com/
    1. Click on the Outlook icon if you are not taken there automatically
  2. Click on your profile in the upper right and go to ‘My account’
  3. Click on ‘Security & privacy’ and go to ‘Additional security verification’
  4. Click on the ‘Create and manage app passwords’ link
  5. Hit the ‘create’ button and enter an identifying name like ‘Thunderbird’
  6. Hit the ‘next’ button to generate your application password
  7. To copy, select the ‘copy password to clipboard’ button
  8. Open or restart Thunderbird and use the app password in place of your CUE password (Ctrl+V to paste)
    1. Remember to check the box for saving the application password

Microsoft recommends that a different application password be used for each application that is not able to use MFA on O365.  These passwords are used in place of your regular password to log in to O365 with MFA.  You should not need to make any configuration changes to the application; you’re simply using a different password.

If you are using the Outlook app on your Smartphone, or Outlook on your desktop or laptop, you will not need to configure an application password.  These Microsoft apps are already configured to use MFA.