Multi-Factor Authentication (MFA)

Modified on Wed, 4 Jun at 9:56 AM

Multi-Factor Authentication (MFA) is a way of confirming your identity with something you have, typically a phone. After entering your username and password, as usual, you can tap on a notification in a mobile app, or receive a verification phone call, or receive a 6 digit code via SMS text message.

Why is this been introduced?

As part of a programme of ongoing security improvements, strengthening authentication has been identified as critical to secure our sensitive data. All Academic staff have been using MFA since 2021, this is now being extended to all staff. Staff computers connected to the school network will not usually require MFA.

Will I have to use a second verification method every time I sign in?

No, when you get a pop up asking for your second factor there is a tick box you can select to have it remember the sign-in for 30 days. It is only recommended that you do this if you trust the device and will be using it again. This applies only to the application you are in so you may find that you have to do this for a couple of sign-ins on your device (MS Office, your browser and Firefly for example) but after that, you should not have to verify your sign-in on that device until the next month.

What is the best way to set up MFA initially when I am asked?

Do it on a computer rather than on your phone, logon to https://aka.ms/MFASetup

In Step 1, for ‘How should we contact you?’ We recommend that you Choose ‘Mobile app’ and for ‘How do you want to use the mobile app?’ we recommend you choose to Receive Notifications for Verification.

Follow the instructions on the screen to install the Microsoft Authenticator App on your phone and add your school account to the App.

Microsoft Authenticator App

How to get the Mobile App

Search for “Microsoft Authenticator App” on your relevant App store (Windows Phone , Android or iOS) and download it to your device.

Once downloaded, configure the app so that it can be linked to your School Account.

Swipe through the introduction screens.
Select the “Add Account” button.
Choose “Work or school account”.
Scan the QR Code which appears on your computer screen after selecting the Mobile App option (or enter the code manually).
Follow the instructions which appear to finish configuring the App for MFA.

In Step 2 you verify that you receive the notification successfully and in Step 3 you are asked to add a phone number. Adding some additional options such as your mobile number and home phone is helpful in case you are ever unable to receive a verification notification through the app. Put in your mobile number in Step 3. Once this is complete, go to https://aka.ms/MFASetup and sign in. On this screen, you can add or remove MFA methods and select which one you will use by default.

How do I change /add to my MFA settings?

Go to https://aka.ms/MFASetup and sign in. On this screen, you can add or remove MFA methods and select which one you will use by default.

Can I opt-out of setting up MFA?

No, all staff are required to have their accounts protected with MFA. Will I need to verify my identity with MFA every time I sign in?
No, you have the option to tick a box that says, “don’t ask me again for 30 days” when you sign so that the next time you sign in on this device, MFA won’t be required.

What if I do not have my mobile at hand and this is the only method of authentication I have set up? What do I do if I get a new mobile?

Go to https://aka.ms/MFASetup. On this screen, you change your MFA options including changing a phone number and setting up the Authenticator App to receive notifications (the option for second-factor verification).
What do I do if I cannot get into my account? Raise a ticket https://mhsf.freshdesk.com/support/home
How many options should I set up for MFA?‌
The recommendation is that you set-up at least two options, so if you forget your mobile phone you can logon using another method.

What should I do if I receive a verification request such as an SMS or phone call but I was not trying to sign in?

If a call ever comes into a landline phone number asking for verification, unless you are expecting the call, do not verify it! If this happens more than once, please report it to IT Services.

Known Problems and Workarounds

Email on mobile phones may require Microsoft Outlook to be installed, MFA may not work with other email apps.
Certain versions of Outlook on computers can have problems with MFA, in this case either upgrade Outlook, use Outlook Web Access, or follow the instructions below to create a special app password:
To create app passwords in the Office 365 portal:
1. Log on to the Office 365 portal http://portal.office365.com
2. In the top right corner select the settings cog wheel widget and choose your app settings, Office 365.
3. Click on Security & privacy, select Additional security verification
4. Click Create and manage app passwords
5. Create an app password for “Outlook on computer”, before closing the box make sure you copy the app password, use this password for Outlook (tick remember me). You do not need to record this password.

Adam Banks

Appendix A - Microsoft Authenticator App Permissions

From https://docs.microsoft.com/en-us/azure/active-directory/user-help/user-help-auth-app-faq

Why does the Microsoft Authenticator app request so many permissions?

Here's the full list of permissions that might be asked for, and how they're used by the app. The specific permissions you see will depend on the type of phone you have.

Camera. Used to scan QR codes when you add a work, school, or non- Microsoft account.
Contacts and phone. The app requires this permission so it can search for existing work or school Microsoft accounts on your phone and add them to the app, helping to ensure your account works properly. This permission also helps save you time while adding your personal Microsoft accounts, by automatically filling in some of the info for you, like your first and last name.
SMS. Used to make sure your phone number matches the number on record. When you sign in with your personal Microsoft account for the first time. We send a text message to the phone where you downloaded the app that includes a 6-8 digit verification code. Instead of asking you to find this code and enter it in the app, it's found in the text message for you.
Draw over other apps. The notification you get that verifies your identity is also displayed on any other app that might be running.
Receive data from the internet. This permission is required for sending notifications.
Prevent phone from sleeping. If you register your device with your organization, your organization can change this policy on your phone.
Control vibration. You can choose whether you would like a vibration whenever you receive a notification to verify your identity.
Use fingerprint hardware. Some work and school accounts require an additional PIN whenever you verify your identity. To make the process easier, we allow you to use your fingerprint instead of entering the PIN.
View network connections. When you add a Microsoft account, the app requires network/internet connection.
Read the contents of your storage. This permission is only used when you report a technical problem through the app settings. Some information from your storage is collected to diagnose the issue.
Full network access. This permission is required for sending notifications to verify your identity.
Run at startup. If you restart your phone, this permission ensures that you continue you receive notifications to verify your identity.