Office 365 Multi-Factor Authentication

• Conversion Schedule

• What is MFA?

• Why are we doing this?

• What option will you use?

• Configuration Options:

• Microsoft Authenticator App

• Texting messaging

• Phone call

• Application password

• References

Kelvin Edwards

Paul Letta

Conversion Schedule (available on cc.jlab.org)

2

DAY OF CONVERSION/TRAINING DIVISION(S) / GROUP(S) TRAINING SESSION SCHEDULE

October 24, 2019 IT Division, ACE, early adopters CC F224-225, 9:00AM - 10:00AM

October 29, 2019 CFO, COO, CPO CC Auditorium, 10:00AM - 11:00AM

November 5, 2019 Accelerator CC Auditorium, 10:00AM - 11:00AM

November 11, 2019 Engineering, LCLS-II CC Auditorium, 10:00AM - 11:00AM

November 19, 2019 Physics CC Auditorium, 2:00PM - 3:00PM

December 3, 2019 Facilities, ESH&Q, Theory CC F113, 10:00AM - 11:00AM

December 10, 2019 12GeV, Director's Office, DOE CC F113, 10:00AM - 11:00AM

What is MFA?

• MFA = Multi-factor Authentication

• Uses two or more pieces of evidence (or factors) to authenticate

－Something you have

• (e.g. Smartcard, CryptoCard or MobilePASS)

－Something you know

• (e.g. PIN)

• Current examples:

－PIV-C Smartcard

－CryptoCard

－MobilePASS

3

Why are we doing this?

• Important security measure－Passwords, even long ones, are becoming easier to

crack

• Spam－JLab occasionally sees compromised email accounts

sending spam－Affects reputation of JLab servers and we are

blacklisted－Even regular (non-spam) email is then bounced due to

the reputation of our servers

• Use of OneDrive and SharePoint opens up potential for storing sensitive data which requires MFA

• DOE is now requiring MFA on O365

• End-of-Life (EOL) for basic authentication (passwords) to O365 will end October 2020

4

What option will you use?

Decide which configuration option would work best for you first:

1. Microsoft Authenticator app

2. Text Messaging

3. Phone call

4. Application passwords (e.g. Thunderbird)

IT Division recommends option #1

5

• IT Division will email you one week prior, and the day before, with the date your division/group is being converted to MFA

• Conversion for your group will happen prior to scheduled training session

Start:

1. Log out and log back in to O365 (https://portal.office.com)

2. Taken to single-sign on

3. MFA configuration will begin

Configuration (Initial Configuration)

1

2

3

6

Configuration (Choosing Your Option)

7

1. Mobile app:

Microsoft Authenticator app

2. Authentication phone:

Text Messaging

Phone call (e.g. office phone or alternate phone)

Click here to begin

3. NOTE: Automatic data required for

‘Office phone’ option is not currently

uploaded to O365

4. Application passwords (e.g.

Thunderbird)

Configuration Option 1: Microsoft Authenticator App

8

• Select ‘Mobile app’ to use the Microsoft Authenticator

app

• Select ‘Receive notifications for verification’ in order to use ‘Push’ notification to your smart phone

Choose Mobile app

Configuration Option 1: Download Microsoft Authenticator App

• You are next presented with unique a quick response (QR) code and instructions on how to setup the Microsoft Authenticator App on your smartphone

9

• Download and install the Microsoft Authenticator App

Configuration Option 1: Microsoft Authenticator App

1. Allow for notifications

2. By default Microsoft collects usage data – click OK

3. Skip ‘Add personal account’

4. Skip add ‘non-Microsoft account’

10

1 2 3 4

Configuration Option 1: Microsoft Authenticator App

• Select ‘Add work account’ to add your JLab O365 account

• At this point the camera on your smartphone will become active

• Place the camera over your unique QR code displayed on your computer

－The Microsoft Authenticator App will then configure and create a one time password (OTP) token for O365

• On the computer, click Next to continue

11

Configuration Option 1: Microsoft Authenticator App

• Microsoft will now send you a ‘Push’ notification

－Message on your phone to Approve or Deny login

• Click Approve in the Microsoft Authenticator App

12

Configuration Option 1: Backup Device for Microsoft Authenticator App

• Choose a backup device to call/text to authenticate

－Alternate phone such as your Office (not the smartphone with the App installed)

13

Select Country and input phone number

Configuration Option 1: Microsoft Authenticator App – Done!

• Click Done – you are finished!

14

Configuration Option 1: Microsoft Authenticator App –Next Login

• After you configure the Microsoft Authenticator App, you will see the Approve dialog box each time login

－This is telling you to approve using Microsoft Authenticator App on your smartphone

15

Configuration (Extending Authentication)

• You will be prompted to stay logged in via the browser

－Select ‘No’ if on a public machine or a computer used by others

－Select ‘Yes’ if on your desktop

• Installs a cookie that extends your authentication in that browser to days or weeks

16

Configuration Options 2 and 3: Text or Phone Call

Select ‘Authentication phone’

1. Text Messaging:

Select ‘Send me a code by text message‘ as method

Microsoft sends a 6-digit PIN to your phone/texting device

2. Phone Call:

Microsoft will call you and request that you hit # to approve your authentication

17

Choose Authentication phone

1

2

Notice: DO NOT USE – ‘Office phone’

• We do not have office phone data uploaded for your O365 account so this will not work. Use ‘Authentication phone’ option instead and enter your office phone number there.

18

DO NOT select ‘Office phone’

Configuration Option 4: Application Passwords

• Application passwords are 16, random alpha-numeric characters

• Create one for each non-O365 application and/or device－e.g. Thunderbird

• Application passwords should be saved in the application's password manager

• Once displayed, app passwords are not available to be displayed again－NOTE: If you forget your application

password, you will need to set up a new one

• Limited number of application passwords

19

20

Configuration Option 4: Application Passwords

• Must have setup 1 of options 1-3 FIRST. Then login again.

• Go to ‘My account’ icon on the upper-right of O365 web

application

• Select the ‘My account’ link

• Select ‘Security & privacy’

• Select ‘Additional security verification’

Configuration Option 4: Application Passwords

• Select ‘Create and manage app passwords’ link

21

22

Configuration Option 4: Application Passwords

• Select ‘create’

• Enter Name of

application (e.g.

Thunderbird)

• Hit ‘next’

• Select ‘copy password

to clipboard’

Configuration: Changing Options Later

23

• Go to ‘My account’ icon

on the upper-right of

O365 web application

• Select the ‘My account’

link

• Select ‘Security &

privacy’

• Select ‘Additional

security verification’

• Select ‘Update your

phone numbers used

for account security’ link

Change your preferred option

References

• https://cc.jlab.org/o365/mfa

• ServiceNow Knowledge Base Article

• IT Division Help Desk (helpdesk@jlab.org, x7155)

24

Questions? helpdesk@jlab.org

IT Division Help Desk

757-269-7155

• Conversion Schedule

• What is MFA?

• Why are we doing this?

• What option will you use?

• Configuration Options:

• Microsoft Authenticator App

• Texting messaging

• Phone call

• Application password

• References