office 365 multi-factor authentication · notice: do not use –‘office phone’ • we do not...
TRANSCRIPT
Office 365 Multi-Factor Authentication
• Conversion Schedule
• What is MFA?
• Why are we doing this?
• What option will you use?
• Configuration Options:
• Microsoft Authenticator App
• Texting messaging
• Phone call
• Application password
• References
Kelvin Edwards
Paul Letta
Conversion Schedule (available on cc.jlab.org)
2
DAY OF CONVERSION/TRAINING DIVISION(S) / GROUP(S) TRAINING SESSION SCHEDULE
October 24, 2019 IT Division, ACE, early adopters CC F224-225, 9:00AM - 10:00AM
October 29, 2019 CFO, COO, CPO CC Auditorium, 10:00AM - 11:00AM
November 5, 2019 Accelerator CC Auditorium, 10:00AM - 11:00AM
November 11, 2019 Engineering, LCLS-II CC Auditorium, 10:00AM - 11:00AM
November 19, 2019 Physics CC Auditorium, 2:00PM - 3:00PM
December 3, 2019 Facilities, ESH&Q, Theory CC F113, 10:00AM - 11:00AM
December 10, 2019 12GeV, Director's Office, DOE CC F113, 10:00AM - 11:00AM
What is MFA?
• MFA = Multi-factor Authentication
• Uses two or more pieces of evidence (or factors) to authenticate
-Something you have
• (e.g. Smartcard, CryptoCard or MobilePASS)
-Something you know
• (e.g. PIN)
• Current examples:
-PIV-C Smartcard
-CryptoCard
-MobilePASS
3
Why are we doing this?
• Important security measure-Passwords, even long ones, are becoming easier to
crack
• Spam-JLab occasionally sees compromised email accounts
sending spam-Affects reputation of JLab servers and we are
blacklisted-Even regular (non-spam) email is then bounced due to
the reputation of our servers
• Use of OneDrive and SharePoint opens up potential for storing sensitive data which requires MFA
• DOE is now requiring MFA on O365
• End-of-Life (EOL) for basic authentication (passwords) to O365 will end October 2020
4
What option will you use?
Decide which configuration option would work best for you first:
1. Microsoft Authenticator app
2. Text Messaging
3. Phone call
4. Application passwords (e.g. Thunderbird)
IT Division recommends option #1
5
• IT Division will email you one week prior, and the day before, with the date your division/group is being converted to MFA
• Conversion for your group will happen prior to scheduled training session
Start:
1. Log out and log back in to O365 (https://portal.office.com)
2. Taken to single-sign on
3. MFA configuration will begin
Configuration (Initial Configuration)
1
2
3
6
Configuration (Choosing Your Option)
7
1. Mobile app:
Microsoft Authenticator app
2. Authentication phone:
Text Messaging
Phone call (e.g. office phone or alternate phone)
Click here to begin
3. NOTE: Automatic data required for
‘Office phone’ option is not currently
uploaded to O365
4. Application passwords (e.g.
Thunderbird)
Configuration Option 1: Microsoft Authenticator App
8
• Select ‘Mobile app’ to use the Microsoft Authenticator
app
• Select ‘Receive notifications for verification’ in order to use ‘Push’ notification to your smart phone
Choose Mobile app
Configuration Option 1: Download Microsoft Authenticator App
• You are next presented with unique a quick response (QR) code and instructions on how to setup the Microsoft Authenticator App on your smartphone
9
• Download and install the Microsoft Authenticator App
Configuration Option 1: Microsoft Authenticator App
1. Allow for notifications
2. By default Microsoft collects usage data – click OK
3. Skip ‘Add personal account’
4. Skip add ‘non-Microsoft account’
10
1 2 3 4
Configuration Option 1: Microsoft Authenticator App
• Select ‘Add work account’ to add your JLab O365 account
• At this point the camera on your smartphone will become active
• Place the camera over your unique QR code displayed on your computer
-The Microsoft Authenticator App will then configure and create a one time password (OTP) token for O365
• On the computer, click Next to continue
11
Configuration Option 1: Microsoft Authenticator App
• Microsoft will now send you a ‘Push’ notification
-Message on your phone to Approve or Deny login
• Click Approve in the Microsoft Authenticator App
12
Configuration Option 1: Backup Device for Microsoft Authenticator App
• Choose a backup device to call/text to authenticate
-Alternate phone such as your Office (not the smartphone with the App installed)
13
Select Country and input phone number
Configuration Option 1: Microsoft Authenticator App – Done!
• Click Done – you are finished!
14
Configuration Option 1: Microsoft Authenticator App –Next Login
• After you configure the Microsoft Authenticator App, you will see the Approve dialog box each time login
-This is telling you to approve using Microsoft Authenticator App on your smartphone
15
Configuration (Extending Authentication)
• You will be prompted to stay logged in via the browser
-Select ‘No’ if on a public machine or a computer used by others
-Select ‘Yes’ if on your desktop
• Installs a cookie that extends your authentication in that browser to days or weeks
16
Configuration Options 2 and 3: Text or Phone Call
Select ‘Authentication phone’
1. Text Messaging:
Select ‘Send me a code by text message‘ as method
Microsoft sends a 6-digit PIN to your phone/texting device
2. Phone Call:
Microsoft will call you and request that you hit # to approve your authentication
17
Choose Authentication phone
1
2
Notice: DO NOT USE – ‘Office phone’
• We do not have office phone data uploaded for your O365 account so this will not work. Use ‘Authentication phone’ option instead and enter your office phone number there.
18
DO NOT select ‘Office phone’
Configuration Option 4: Application Passwords
• Application passwords are 16, random alpha-numeric characters
• Create one for each non-O365 application and/or device-e.g. Thunderbird
• Application passwords should be saved in the application's password manager
• Once displayed, app passwords are not available to be displayed again-NOTE: If you forget your application
password, you will need to set up a new one
• Limited number of application passwords
19
20
Configuration Option 4: Application Passwords
• Must have setup 1 of options 1-3 FIRST. Then login again.
• Go to ‘My account’ icon on the upper-right of O365 web
application
• Select the ‘My account’ link
• Select ‘Security & privacy’
• Select ‘Additional security verification’
Configuration Option 4: Application Passwords
• Select ‘Create and manage app passwords’ link
21
22
Configuration Option 4: Application Passwords
• Select ‘create’
• Enter Name of
application (e.g.
Thunderbird)
• Hit ‘next’
• Select ‘copy password
to clipboard’
Configuration: Changing Options Later
23
• Go to ‘My account’ icon
on the upper-right of
O365 web application
• Select the ‘My account’
link
• Select ‘Security &
privacy’
• Select ‘Additional
security verification’
• Select ‘Update your
phone numbers used
for account security’ link
Change your preferred option
References
• https://cc.jlab.org/o365/mfa
• ServiceNow Knowledge Base Article
• IT Division Help Desk ([email protected], x7155)
24
Questions? [email protected]
IT Division Help Desk
757-269-7155
• Conversion Schedule
• What is MFA?
• Why are we doing this?
• What option will you use?
• Configuration Options:
• Microsoft Authenticator App
• Texting messaging
• Phone call
• Application password
• References