Office 365 Multi-Factor Authentication

Starting the week of October 24, 2019, the Jefferson Lab IT Division will begin converting authentication for Office 365 (O365) from your JLab password to multi-factor authentication (MFA).  Prior to enabling MFA on your O365 account, the IT Division will send you an email reminding you of the change.  The following is a tentative schedule of when your email will be affected.

 October 24, 2019  IT Division, ACE, early adopters   CC F224-225, 9:00AM - 10:00AM
 October 29, 2019  CFO, COO, CPO  CC Auditorium, 10:00AM - 11:00AM 
 November 5, 2019  Accelerator  CC Auditorium, 10:00AM - 11:00AM
 November 11, 2019  Engineering, LCLS-II  CC Auditorium, 10:00AM - 11:00AM
 November 19, 2019  Physics  CC Auditorium, 2:00PM - 3:00PM
 November 25, 2019  Facilities (Early Adopters)  CC Auditorium, 2:00PM - 3:00PM
 December 3, 2019  Facilities (Remaining), ESH&Q, Theory  CC F113, 10:00AM - 11:00AM
 December 10, 2019  12GeV, Director's Office, DOE  CC F113, 10:00AM - 11:00AM

NOTE:  The IT Division is offering training sessions each day of conversion.  If you would like to learn more prior to MFA being turned on for your O365 account, you are welcome to attend training session the week prior to your division's conversion.  You may also download the JLab O365 MFA slideshow presentation as a reference tool.


The IT Division will be implementing multi-factor authentication (MFA) with Office 365 (O365).  O365 has services other than Outlook Email and Calendar.  A few examples are Office (Word, Excel, and PowerPoint), OneDrive, and SharePoint.  These services open up the potential for storing sensitive data in the Cloud.  The multi-factor authentication (MFA) method grants access when a computer user successfully presents two or more pieces of evidence (or factors) to authenticate.  An example would be the PIV-C Smartcards (gemalto USB thumb drive) we currently use to log in to our computers.

DOE is requiring that our Office 365 (O365) instance be configured to require multi-factor authentication (MFA) for login.  By using MFA with O365, your data is more protected and you are better protected from scammers using your O365 account to send spam if they gain access to your CUE account.

What to use?

There are several options for using MFA with O365.  Please review the options below to consider which would work best for you.  If you have questions or concerns regarding an option, contact the IT Division Help Desk.  We are happy to walk you through this process.

Microsoft Authenticator App

The easiest way to use MFA with O365 is to install the Microsoft Authenticator app on your Smartphone (Android and/or iOS).  Below are general instructions for installing this app on your Smartphone:

  1. Install the app from your app store
    • NOTE:  This app will need permission to access your camera to complete Step #4
  2. Go to the webpage and click on 'Setup Authenticator App'
  3. Click on Add account to the Authenticator App
  4. Point your phone at the QR code from the web portal page
  5. Click Next and continue to follow the directions on the screen

Once you have the app installed, you can configure MFA on O365 to:

  1. Send a push a notification for access to your Smartphone to ‘Approve’ or ‘Deny’ the request
  2. Enter a 6 digit PIN generated from the app

Text Messaging or Phone Call

Other options would be for Microsoft to send you a text message or call you:

  1. Text a 6 digit PIN to your Smartphone or texting device
  2. Configure app to call a set phone number to provide a 6-digit PIN

What about Thunderbird and other IMAP clients?

Once you have configured MFA on O365, you must make changes to your O365 account to create what is known as an application password.  You will use the O365 ‘Create and manage app passwords' utility to create randomly generated passwords for any mail clients that do not support MFA on O365; like Thunderbird or Apple Mail.

NOTE:  Since application passwords are randomly generated, and they are not your CUE password, we recommend saving them in the mail client.  This will allow you to log in to your mail client without having to generate a new application password each time.

To begin:

  1. Log in to
    1. Click on the Outlook icon if you are not taken there automatically
  2. Click on your profile in the upper right and go to ‘My account’
  3. Click on ‘Security & privacy’ and go to ‘Additional security verification’
  4. Click on the ‘Create and manage app passwords’ link
  5. Hit the ‘create’ button and enter an identifying name like ‘Thunderbird’
  6. Hit the ‘next’ button to generate your application password
  7. To copy, select the ‘copy password to clipboard’ button
  8. Open or restart Thunderbird and use the app password in place of your CUE password (Ctrl+V to paste)
    1. Remember to check the box for saving the application password

Microsoft recommends that a different application password be used for each application that is not able to use MFA on O365.  These passwords are used in place of your regular password to log in to O365 with MFA.  You should not need to make any configuration changes to the application; you’re simply using a different password.

If you are using the Outlook app on your Smartphone, or Outlook on your desktop or laptop, you will not need to configure an application password.  These Microsoft apps are already configured to use MFA.

JLab-o365-MFA.pdf1.37 MB