Office 365 Multi-Factor Authentication

The week of October 24, 2019, the Jefferson Lab CST Division began converting authentication for Office 365 (O365) from your JLab password to multi-factor authentication (MFA).

NOTE:  The CST Division offered training sessions prior to the conversion.  You can download the JLab O365 MFA slideshow presentation as a reference tool.

Why?

The IT Division will be implementing multi-factor authentication (MFA) with Office 365 (O365).  O365 has services other than Outlook Email and Calendar.  A few examples are Office (Word, Excel, and PowerPoint), OneDrive, and SharePoint.  These services open up the potential for storing sensitive data in the Cloud.  The multi-factor authentication (MFA) method grants access when a computer user successfully presents two or more pieces of evidence (or factors) to authenticate.  An example would be the PIV-C Smartcards (gemalto USB thumb drive) we currently use to log in to our computers.

DOE is requiring that our Office 365 (O365) instance be configured to require multi-factor authentication (MFA) for login.  By using MFA with O365, your data is more protected and you are better protected from scammers using your O365 account to send spam if they gain access to your CUE account.

What to use?

There are several options for using MFA with O365.  Please review the options below to consider which would work best for you.  If you have questions or concerns regarding an option, contact the IT Division Help Desk.  We are happy to walk you through this process.

Microsoft Authenticator App

The easiest way to use MFA with O365 is to install the Microsoft Authenticator app on your Smartphone (Android and/or iOS).  Below are general instructions for installing this app on your Smartphone:

1. Install the app from your app store
   • NOTE:  This app will need permission to access your camera to complete Step #4
2. Go to the portal.office.com webpage and click on 'Setup Authenticator App'
3. Click on Add account to the Authenticator App
4. Point your phone at the QR code from the web portal page
5. Click Next and continue to follow the directions on the screen

Once you have the app installed, you can configure MFA on O365 to:

1. Send a push a notification for access to your Smartphone to ‘Approve’ or ‘Deny’ the request
2. Enter a 6 digit PIN generated from the app

What if I get a new phone?

 To configure the Authenticator App on a new phone, follow the below:

1. Logon to portal.office.com -- From a a computer with a screen -- NOT your new phone.
2. Click on your Initial Icon (or photo) in the upper right
3. Click on "My Account"
4. Click on "Update Info" in the Security Info box.
5. Click on "+ Add method"
6. Select "Authenticator app" from the drop down and click on "Add"
7. Open the Authenticator app on your phone.
   1. Click on "Add Account"
   2. Select "Work or School Account"
   3. The camera on your phone should now be active.
8. Back on the computer screen, click on Next twice.  A QR code will appear
9. Point your phone's camera at the QR code on the screen.
10. Finish the Wizard on the computer screen.

Text Messaging or Phone Call

Other options would be for Microsoft to send you a text message or call you:

1. Text a 6 digit PIN to your Smartphone or texting device
2. Configure app to call a set phone number to provide a 6-digit PIN

What about Thunderbird and other IMAP clients?

Once you have configured MFA on O365, you must make changes to your O365 account to create what is known as an application password.  You will use the O365 ‘Create and manage app passwords' utility to create randomly generated passwords for any mail clients that do not support MFA on O365; like Thunderbird or Apple Mail.

NOTE:  Since application passwords are randomly generated, and they are not your CUE password, we recommend saving them in the mail client.  This will allow you to log in to your mail client without having to generate a new application password each time.

To begin:

1. Log in to https://portal.office.com/
   1. Click on the Outlook icon if you are not taken there automatically
2. Click on your profile in the upper right and go to ‘My account’
3. Click on ‘Update INFO’ in the "Security Info" box.
4. Click on the ‘+Add Method’ link
5. Select "App Password" from the drop down selector.
6. Click on "Add"
7. Give this new App Password a name.  There are rules for the name, once you type a long enough and valid name, "Next" will become enabled.   Click "Next".
8. Your new App Password is now displayed.  Copy it by clicking on the 'copy icon' just to the right of the password, or write it down.
9. Click "Done".
10. Open or restart Thunderbird and use the app password in place of your CUE password (Ctrl+V to paste)
    1. Remember to check the box for saving the application password

Microsoft recommends that a different application password be used for each application that is not able to use MFA on O365.  These passwords are used in place of your regular password to log in to O365 with MFA.  You should not need to make any configuration changes to the application; you’re simply using a different password.

If you are using the Outlook app on your Smartphone, or Outlook on your desktop or laptop, you will not need to configure an application password.  These Microsoft apps are already configured to use MFA.