Office 365 Multi-Factor Authentication

• What is MFA?

• Why are we doing this?

• Conversion Schedule

• Configuration Options

• Microsoft Authenticator App

• Texting messaging

• Phone call

• Application password

• References

Kelvin Edwards

Paul Letta

What is MFA?

• MFA = Multi-factor Authentication

• Uses two or more pieces of evidence (or factors) to authenticate

－Something you have

• (e.g. Smartcard, CryptoCard or MobilePASS)

－Something you know

• (e.g. PIN)

• Current examples:

－PIV-C Smartcard

－CryptoCard

－MobilePASS

2

Why are we doing this?

• Important security measure－Passwords, even long ones, are becoming easier to

crack

• Spam－JLab occasionally sees compromised email accounts

sending spam－Affects reputation of JLab servers and we are

blacklisted－Even regular (non-spam) email is then bounced due to

the reputation of our servers

• Use of OneDrive and SharePoint opens up potential for storing sensitive data which requires MFA

• DOE is now requiring MFA on O365

• End-of-Life (EOL) for basic authentication (passwords) to O365 will end October 2020

3

Conversion Schedule (available on cc.jlab.org)

4

WEEK OF CONVERSION DIVISION(S) / GROUP(S) TRAINING SESSION SCHEDULE

October 24, 2019 IT Division, ACE, early adopters CC F224-225, 9:00AM - 10:00AM

October 29, 2019 CFO, COO, CPO CC Auditorium, 10:00AM - 11:00AM

November 5, 2019 Accelerator CC Auditorium, 10:00AM - 11:00AM

November 11, 2019 Engineering, LCLS-II CC Auditorium, 10:00AM - 11:00AM

November 19, 2019 Physics CC Auditorium, 2:00PM - 3:00PM

December 3, 2019 Facilities, ESH&Q, Theory CC F113, 10:00AM - 11:00AM

December 10, 2019 12GeV, Director's Office, DOE CC F113, 10:00AM - 11:00AM

• IT Division will email you one week prior, and the day before, with the date your division/group is being converted to MFA

• Day Of: Conversion for your group will happen prior to scheduled training session

• Log out and log back in to O365

－https://portal.office.com

• MFA configuration will begin

5

Configuration (Initial Configuration)

Configuration (Microsoft Authenticator App)

6

• Select ‘Mobile Phone’ to use the Microsoft Authenticator app

• Select ‘Receive notifications for verification’ in order to use ‘Push’ notification

to your smart phone

NOTE: Download the Microsoft Authenticator app before you begin

Configuration Options (Microsoft Authenticator App)

• Microsoft Authenticator app

－Push notification

• Message on your phone to Approve or Deny login

－PIN

• Authenticator app displays 6-digit PIN every 30 seconds

7

Configuration Continued (Text or Phone Call)

• Select ‘Authentication phone’

• Text Messaging:

－Select ‘Send me a code by text message‘ as method

－Microsoft sends a 6-digit PIN to your phone/texting device

• Phone Call:

－Microsoft will call you with the 6-digit PIN at your specified number

8

Configuration (DO NOT USE – Office Phone)

• JLab does not have Office Phones listed with your account so this will not work. Use ‘Authentication Phone’ option instead.

9

10

Configuration (Application Passwords)

• Go to ‘My account’ icon on the upper-right of O365 web

application

• Select the ‘My account’ link

• Select ‘Security & privacy’

• Select ‘Additional security verification’

Configuration (Application Passwords, continued)

• Select ‘Create and manage app passwords’ link

11

12

Configuration (Application Passwords, continued)

• Select ‘create’

• Enter Name of

application (e.g.

Thunderbird)

• Hit ‘next’

• Select ‘copy password

to clipboard’

Configuration (Application Passwords, continued)

• Application passwords are 16, random alpha-numeric characters

• Create one for each non-O365 application and/or device－e.g. Thunderbird

• Application passwords should be saved in the application's password manager

• Once used, app passwords are not available to see again－NOTE: If you forget your application

password, you will need to set up a new one

• Limited number of application passwords

13

References

• https://cc.jlab.org/o365/mfa

• ServiceNow Knowledge Base Article

• IT Division Help Desk (helpdesk@jlab.org, x7155)

14

Questions? helpdesk@jlab.org

IT Division Help Desk

757-269-7155

• What is MFA?

• Why are we doing this?

• Conversion Schedule

• Configuration Options

• Microsoft Authenticator App

• Texting messaging

• Phone call

• Application password

• References