Use Microsoft Authenticator with Office 365

If your organization is using 2-step verification for Office 365, the easiest verification method to use is Microsoft Authenticator. It’s just one click instead of typing in a 6-digit code. And if you travel, you won’t incur roaming fees when you use it.

Download and install Microsoft Authenticator app

https://i2.wp.com/is5.mzstatic.com/image/thumb/Purple128/v4/c1/2f/06/c12f06f4-b2b5-6ed7-3acd-3bf8759a92d5/source/175x175bb.jpg https://i2.wp.com/www.androidpolice.com/wp-content/uploads/2016/08/nexus2cee_MS-auth-hero.pnghttps://www.windowscentral.com/sites/wpcentral.com/files/styles/xlarge/public/field/image/2016/06/microsoft-authenticator-1.png?itok=4dPmJ7iL https://www.thurrott.com/wp-content/uploads/2016/07/auth-apps-1024x576.jpg

Set up the Microsoft Authenticator app

Step 1: Choose the mobile app

Open a browser on your computer and go to portal.office.com. Sign in to your Office 365 for business account.

Use these steps if you see this screen:

Click Set it up now.

  1. Click Set it up now.
  2. Choose Mobile app from the dropdown.
  3. Make sure “Receive notifications for verifications” is selected. Click Set up.

Use these steps if you see this screen:

Choose Settings

  1. Choose Settings Office 365 Settings button > Office 365.
  2. Choose Security & Privacy > Additional security verification > Update my phone numbers used for account security.
  3. In the drop down box under What’s your preferred option, choose Notify me through app.
  4. Check the box for Microsoft Authenticator app, click Configure.

Step 2: Wait for configuration pop-up box.

You should see a window on your computer that looks like this.

Follow the steps on your screen.

Step 3: Add account to Microsoft Authenticator

  1. Open the Microsoft Authenticator app on your phone.

  2. Tap the + > Work or school account.
  3. Use your phone to scan the QR square that is on your computer screen.

    Note: If you can’t use your phone camera, you’ll have to manually enter the 9 digit code and the URL.

  4. Your account will be added automatically to the app and will display a six-digit code.
Tap the + sign int the Azure Authenticator app.

Step 4: Confirm activation status on your computer

  1. Switch back to your computer and click Done.
  2. Now wait for the Checking activation status text to finish configuring your phone.
  3. When it’s complete, you’ll be able to click the Contact me button on the right.

    Note: If configuration fails, just delete retry the previous steps again.

Click Contact Me

Step 5: Approve sign in on your phone

  1. Switch back to your phone and you’ll see a notification for a new sign in.

  2. Go to the Microsoft Authenticator app.
  3. Tap Approve to allow it.
Tap Approve to allow sign in.

Step 6: Finish set up

  1. Back on the computer, follow any prompts that you might see such as adding a mobile number.

  2. You’re good to go!

From now on, whenever you have a new sign in or add your Office 365 work or school account to an app, you’ll open the Authenticator app on your phone and tap Approve.

Checkmark

Configuring Multi-Factor Authentication on Client/ User side

After you have enabled MFA on your tenant, your users can follow these instructions to set up their second sign-in method for Office 365:

Step 1: Set up 2-step verification for Office 365

Once your admin enables your organization with 2-step verification (also called multi-factor authentication), you have to set up your account to use it.

By setting up 2-step verification, you add an extra layer of security to your Office 365 account. You sign in with your password (step 1) and a code sent to your phone (step 2).

  1. Sign in to Office 365 with your work or school account with your password like you normally do. After you choose Sign in, you’ll see this page:

    First Sign in screen

  2. Choose Set it up now.
  3. Select your authentication method and then follow the prompts on the page. Or, watch the video to learn more.

    Choose your authentication method and then follow the prompts on the screen.

  4. Once you complete the instructions to specify how you want to receive your verification code, the next time you sign in to Office 365, you’ll be prompted to enter the code that is sent to you by text message, phone call, etc.

    To have a new code sent to you, press F5.

    When you sign in with 2-step verification, you'll be prompted for a code.

We strongly recommend setting up more than one verification method. For example, if you travel a lot, consider setting up Microsoft Authenticator for your verification method. It’s the easiest verification method to use, and a way to avoid text or call charges.

Step 2: Create an app password for Office 365

An app password is a code that gives an app or device permission to access your Office 365 account.

If your admin has turned on set up 2-step verification for your organization, and you’re using apps that connect to your Office 365 account, you’ll need to generate an app password so the app can connect to Office 365. For example, if you’re using Outlook 2016 or earlier with Office 365, you’ll need to create an app password.

  1. Check whether your Office 365 admin has turned on 2-step verification for your account. If they haven’t, when you try to do these steps you won’t see the options in Office 365.
  2. If you haven’t already done so, set up your account to use 2-step verification.
  3. Sign in to Office 365 using your password and verification code.
  4. Choose Settings Office 365 Settings button > Office 365.
  5. Choose Security & Privacy > Additional security verification.

    Choose Additional security verification.

  6. Choose Update my phone numbers used for account security. This will display the following page:

    Choose app passwords

  7. At the top of the page, choose App Passwords.
  8. Choose create to get an app password.
  9. If prompted, type a name for your app password, and click Next.
  10. Choose copy password to clipboard. You won’t need to memorize this password.

    Choose copy to your clipboard.

    Tip: If you create another app password, you’ll be prompted to name it. For example, you might name it “Outlook.”

  11. Go to the app that you want to connect to your Office 365 account. When prompted to enter a password, paste the app password in the box.

To use the app password in Outlook

You’ll need to do these steps once.

  1. Open Outlook, such as Outlook 2010, 2013, or 2016.
  2. Wherever you’re prompted for your password, paste the app password in the box. For example, if you’ve already added your account to Outlook, when prompted paste the app password here:

    Paste your app password in the Password box.

  3. Or, if you’re adding your Office 365 account to Outlook, enter your app password here:

    Enter your app password in both Password boxes.

  4. Restart Outlook.

Step 3: Change how you get 2 step verification

Depending on how your Office 365 admin set up 2-step verification for your organization, you might be able to change how you get your codes.

Tip: Before you can do these steps, your admin needs to set up multi-factor authentication for your account.

  1. Sign in to Office 365 using your password and verification code.
  2. Choose Settings Office 365 Settings button > Office 365.
  3. Choose Security & Privacy > Additional security verification.
  4. Choose Update my phone numbers used for account security. This will display the following page:

    additional security verification page

  5. Choose how you want to get your verification code. Although all options are listed, your admin may not make them all available; you’ll get a message if you choose one your admin didn’t enable.
  6. Follow the prompts on the page.

Configure Multi-Factor Authentication (MFA) for Office 365 users

Set up multi-factor authentication in the Office 365 admin center

  1. Go to the Office 365 admin center.
  2. Navigate to Users > Active users.

    Active users in Office 365 admin center

  3. In the Office 365 admin center, click More > Setup Azure multi-factor auth.

    Set up multifactor authentication

  4. Find the user or users who you want to enable for MFA. In order to see all the users, you might need to change the Multi-Factor Auth status view at the top.

    The views have the following values based on the MFA state of the users:

    • Any    Displays all users. This is the default state
    • Enabled    The user has been enrolled in multi-factor authentication, but has not completed the registration process. They will be prompted to complete the process the next time they sign in.
    • Enforced    The user may or may not have completed registration. If they have completed the registration process then they are using multi-factor authentication. Otherwise, the user will be prompted to complete the process at next sign-in.
  5. Check the check box next to the users you want to enable.

    Users selected for MFA.

  6. On the right user info pane, under quick steps you’ll see Enable and Manage user settings. Choose Enable.
  7. In the dialog box that opens, click enable multi-factor auth.

Allow MFA users to create App Passwords for Office client applications

Important: App passwords are not supported for Office 365 operated by 21Vianet.

Multi-factor authentication is enabled per user. This means that if a user is enabled for multi-factor authentication and they are attempting to use non-browser clients, such as Outlook 2013 with Office 365, they will be unable to do so. An app password allows this to occur. An app password, is a password that is created within the Azure portal that allows the user to bypass the multi-factor authentication and continue to use their application.

All the Office 2016 client applications support multi-factor authentication through the use of the Active Directory Authentication Library (ADAL). This means that app passwords are not required for Office 2016 clients. However, if you find that this is not the case, make sure your Office 365 subscription is enabled for ADAL. Connect to Exchange Online PowerShell and run the Get-OrganizationConfig | Format-Table name, *OAuth* command.

If you need to enable it, run Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true .

  1. Go to the Office 365 admin center.
  2. Navigate to Users > Active users. Your screen should look like one of the following:

    Active users in Office 365 admin center

  3. In the Office 365 admin center, click More > Setup Azure multi-factor auth.

    Set up multifactor authentication

  4. In the multi-factor authentication page, choose service settings.

    MFA service settings.

  5. Under app passwords, choose Allow users to create app passwords to sign into non-browser applications.

    This allows users to use client Office applications, but they will have to enter a password of their choosing first.

  6. Click Save, and then Close.
Manage MFA user settings
  1. In the multi-factor authentication page, check the box next to the user or users you want to manage.
  2. In the user info pane on the right, you’ll see two options: Enable and Manage user settings. Choose Manage User settings.
  3. In the Manage user settings dialog, check one or more of the options: Require selected users to provide contact methods again, Delete all existing app passwords generated by the selected users, or Restore Multi-Factor Authentication on all remembered devices.
  4. Click Save.
Bulk-update users in MFA

You can bulk update the status for existing users using a CSV file. The CSV file will be used only for enabling or disabling multi-factor authentication based on the user names present in the file. It is not used to create new users.

  1. In the multi-factor authentication page, click bulk update.
  2. Browse for the file that contains the updates. The column headings in your file must match the column headings in the following example:

    bulk update CSV sample file