University of Southampton

iSolutions

How to set up and manage Microsoft Multi-Factor Authentication (MFA)

This article will guide you on configuring your Multi-Factor Authentication, setting it up on your devices, managing it and setting up a second method of authentication. 

Table of Contents

1. What is Microsoft Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is a new and more secure way to log in to your University accounts. This prevents fraudsters from accessing, altering, or destroying your personal and sensitive information. 

It provides an extra level of protection. When signing in, it asks you to confirm your identity with a password and a phone / tablet. Only successfully presenting two pieces of evidence you can have access to your account.

It is likely that you already use some form of multi-factor authentication if you use online banking.  

Availability

Adding a phone number for use in MFA process does not make it available as part of your contact information. MFA phone numbers are stored as protected attributes and are not visible to others.

Data usage

You will see minimal data usage when downloading the Authenticator app. There will be no to minimal impact on your daily phone data usage. If you’re worried about data usage, you can select the SMS or phone line option to authenticate your account. 

Back to the top

 

2. Why do I need Multi-Factor Authentication (MFA)

You need MFA to add an extra layer of protection to your university account.

MFA helps to defend your account against fraudsters from: 

  • Accessing

  • Altering

  • Destroying your personal data or sensitive information

How often you will be asked to authenticate 

As long as you have a University IT account, MFA is needed to keep your account secure.

You will receive a sign in approval request each time you attempt to log in. You can avoid this approval for 30 days by checking the “Do not ask again for 30 days” box.

""

Please do not remove any of your authentication methods and review them regularly to ensure they are up to date. 

Back to the top

 

3. How Multi-Factor Authentication (MFA) works 

Verification steps

Since MFA is a mandatory part of the account setup process, Microsoft will ask you to verify your credentials. You can do it doing one of the following actions:

  • Tapping 'Approve' when they see the pop-up in the Authenticator app
  • Entering a code:
    • Generated by the Microsoft Authenticator app
    • Generated by a hardware token
    • Sent to your mobile in an SMS message  
  • Pressing the # key on your telephone when using an automated phone call

After that, you will have completed your verification steps. You will have access to your app as usual.  You can check to remember your login on your device for 30 days. We recommend doing this only if you trust the device and you are sure you will be using it again. Sometimes you will need to complete a new verification step when signing in.  

We recommend using the Microsoft Authenticator app as your primary MFA solution. 

When will you have to use MFA

You will be asked to use MFA whenever you: 

  • Access any Office 365 program (such as Outlook or Teams)
  • Switch to a different browser (for example: Chrome, Firefox, Safari) to access your account
  • Use a different computer 
  • Turn on private browsing  
  • Delete cookies after closing your browser (that is because the browser uses cookies to remember who you are)
  • Do not allow cookies to be saved, or cookies are not enabled. If you need guidance on changing your cookies settings, read the article "Disable or enable cookies in your browser"

What to do if you receive an unexpected MFA notification

Please decline any unexpected MFA notification.

If you are using the Microsoft Authenticator app, please press the report button which will notify iSolutions. This action will not lock out your account and will help iSolutions fund more information about the sign in attempt.

How to recover your credentials

To back up or recover your account credentials (using Android or iOS), read the article "Back up and recover account credentials in the Authenticator app". 

Back to the top

 

4. Setting up MFA on your device

It can take up to approximately 10 minutes to set up MFA. You only need to set up MFA once but you may have to verify your identity from time to time.

You can set up MFA by using the free Microsoft Authenticator app on your mobile phone (recommended), or by receiving an SMS text message or phone call through a landline or mobile phone. 

It's not possible to use Softphones to set up MFA.

If you have a mobile device older than iOS 10 or Android 5 you will be unable to use the authenticator app. In these cases, chose the text message or phone call as a method of authentication.  

 

Setting up process

Watch the video Setting up your IT account 2022 (skip to 3’20” into the video).

Step-by-step instructions:

  1. From your desktop or laptop, go to My Sign-Ins  
  2. Log in with your University email account
  3. A dialogue window will prompt you with ‘More information required’ to keep your account secure
  4. Choose an option:
    1. Click ‘Next’ to begin MFA registration
      or
    2. Click Skip for now’ to skip MFA registration. You can skip MFA registration for no more than 14 days. After 14 days, you are required to register your account for MFA.
  5. Now you can confirm your identity using one of the authentication methods listed here below. 

Using the Microsoft Authenticator app

These instructions work both for Android and iOs devices. 

1. Download the app on your mobile device for iOS or Android

2. Now look at the screen of your computer - you should see a new window asking to start the process getting the app. Select 'Next'

""

3. If prompted, select ‘Allow Notifications’. Make sure to select 'Work or school' from the list of account types.

""

4. When prompted within the app:

  1. scan the QR code on your screen using Microsoft Authenticator App. Once the QR code is within your camera’s frame, your Authenticator app will recognize the code

    ""
    Please do not use the QR code below, use the one generated during the set-up process.

  2. From your mobile, select the "+" button
  3. Select 'Work or school account'
  4. Allow "Authenticator" to access the camera
  5. Using the Authenticator app, scan the QR Code on your computer. If you are using an iOS device and it does not allow you to scan the QR code, please change the privacy settings of you camera following the instructions in the section "I cannot scan the QR code using my iPhone / iPad"
  6. Go back to your computer and click 'Next'

5. You will then receive an approval notification on your mobile device

""

6. Select 'Approve' to confirm the setup

7. Once you approved the notification, click 'Next' in the computer browser

If you want to configure additional MFA methods (recommended) click the link ‘I want to set up a different method’ and follow the instructions in the section "Using SMS or a phone call".

""

8. You will receive a success message once you have finished the setup

""

9. Click 'Done' to complete the process

Microsoft Authenticator uses 'Push Notification' as default verification. After you complete MFA registration, you can change it to following the instructions in the page Office 365: Change the Authenticator Verification method.

 

Using SMS or a phone call

1. Select the option 'I want to set up a different method'

""

2. Select 'Phone' as the different method and click on 'Confirm'

""

3. Choose your country and enter your phone number, then select how you wish the verification to happen. This can be either an SMS message or a Phone Call (you will find the options 'Text me a code' or 'Call me'). For the example here below, we are using the SMS option.

""

4. You will then be asked to verify your method:

Using a text message (SMS) 

You will receive a text message with a (random) 6-digit code on your mobile.

In your browser window, enter the code into the 'Enter code' field and click 'Next'. 

""
  
Your phone is now registered as a method of authentication

Click 'Next' to end the process.
  
For Phone 

You will receive a call, asking you to select a Key on the phone to verify your signing.

1. Answer the phone call on your mobile phone

2. The recorded voice message will instruct you to press the # symbol on your phone's touchpad

3. After pressing the pound sign, your mobile number is successfully registered

4. Click 'Next'

Please remember that SMS or phone notifications are great as fail-back second factors. 

 

Using a token

If you don't wish to use any of the above methods, you can request a free MFA physical token (similar to a key fob) from Stores by completing the "Computer Peripheral Purchasing" form. No authorisation is needed.

Tokens are only available for members of staff and Postgraduate Research Students (PGRs). 

 

Using Evolution email

Evolution users will need to use the Evolution-EWS client to access their Office 365 email. 

iSolutions have registered Evolution-EWS as a Microsoft Azure Active Directory app registration. 

Application ID: 51e20fb2-de82-43a4-932d-cb56b81262ac

  • Tennant ID: 4a5378f9-29f4-4d3e-be89-669d03ada9d8 
  • Configuring Evolution-EWS to connect to Exchange Online 

When adding your university account to Evolution-EWS: 

  1. Enter your name and email address, uncheck Lookup mail server details and click 'Next'
  2. For Server Type, select 'Exchange Web Services'
  3. For Username, specify your email address
  4. Change Host URL to https://outlook.office365.com/EWS/Exchange.asmx
  5. Click the Fetch URL button, providing your EID password when prompted. This will result in the OAB URL field being populated, which is the address from which the client can download a copy of the Offline Address Book.
  6. Change Authentication to OAuth2 (Office365)
  7. Make sure that Override Office365 OAuth2 settings are checked and populate the Tenant ID and Application ID fields as above
  8. Finish the New Mail Account Wizard, and you will then be taken to the Microsoft 365 login screen asking you to enter your password and additional MFA verification.

 

Using Thunderbird

Setting up a new account 

When you add your university account in Thunderbird, you will need to click on the Advanced config link after it auto-detects the server settings. 

You will then need to set Thunderbird to use OAuth2 for both the IMAP and SMTP server configurations. 

"" ""
    
Once you hit 'Done', you should see the Microsoft 365 login screen pop-up asking you to enter your password and additional MFA verification. After that, it will appear a screen asking for some permissions on your Office 365 account. 

How to reconfigure an existing account 

For IMAP, click on: 

  • Incoming protocol: IMAP
  • Server hostname: outlook.office365.com
  • Port: 993
  • SSL: SSL/TLS
  • Authentication: OAuth2

For SMTP, please follow: 

  • Outgoing protocol: SMTP
  • Server hostname: smtp.office.com
  • Port: 587
  • SSL: STARTTLS
  • Authentication: OAuth2

If OAuth2 does not appear, you may need to restart Thunderbird and go back into the account settings.

 

Using an app password  

This approach is no longer fully supported by iSolutions. We recommend you choose an application that natively supports Multi-Function Authentication (for example the Evolution Linux-based mail client rather than Thunderbird). 

If you use an app password, you will be required to provide MFA on campus and will not be able to take full advantage of the current University’s security policies. 

 

What to do if you have no signal or Wi-Fi connection

For the best experience use the Microsoft Authenticator App - this offers advanced functionality including one-touch authentication approval via notifications. An additional benefit of using the App is, if you do not have a signal or wi-fi connection on your phone, the App will generate a one-time passcode which you can use instead of receiving an app notification or SMS.

Instructions:

1. When approving your sign-in request, click on the sentence "I can’t use my Microsoft Authenticator app right now

""

2. Select the option “Use a verification code

 ""

3. Now open your Authenticator app

4. Tap on the 'University of Southampton' button

""

5. You will see a one-time password. Password will change every 20 seconds

""

6. Enter the code (displayed into the Authenticator app) into the sign in window

 

Check your set-up

To check that MFA has been set up on your account or if you need to change settings go to the page My sign-ins / Security info.

You should see the authentication options you chose during set-up. If you don’t, repeat the set-up process.  

Back to the top

 

5. Setting up a second method of authentication

We strongly recommend that you set up a second method of authentication on your University IT account.

This means that if one method fails, you have another way to authenticate and you will not be locked out of your account. For example, if you lose or upgrade your device, you can still authenticate your log-in and access University IT services.

To set up a second authentication method, you need to:

  1. Login into 'MySign-Ins'  using your password
  2. Choose 'Security info'
  3. Select 'Add Method'

""

We recommend that the Microsoft Authenticator app is your primary method. As a second method, choose from either:

  • Receiving an SMS text message on your smartphone
  • Receiving a phone call through a landline or mobile phone. If you are a staff or a Postgraduate Research Student (PGR), it’s not possible to authenticate using your University-provided telephone number. 

 

How to change your default sign-in method

1. Click on 'Change' 

""
 
2. Select your favourite method

""
 
3. Click on ‘Confirm’

 

Change the phone number previously added as a second method of authentication

1. Click on 'Change

""
 
2. Enter the phone number you want to use

""
 
3. Click on 'Next': you will receive a code via SMS or a phone call to verify your identity

4. Enter your code or follow the instructions

5. Once verify your identity, a confirmation banner will appear on your page. Click on 'Done' to close the banner. 

""

 

Delete one of the existing sign-in methods

1. Click on the 'Delete' button

2. A confirmation banner will appear. Click on 'OK' to delete this method

Back to the top

 

6. Managing MFA on your device

What to do if you change your phone

If you have a new phone or device, there are 2 ways to make MFA work on your new phone:

  1. Switching your authenticator from your old device to your new one
  2. Removing your authenticator app from your old phone

Please note: you should carry out this process before you wipe your old phone.

Instructions

1. Log in to My Sign-ins / Security info

2. Enter your University email (for example: abc1ef22@soton.ac.uk) and password

3. Approve MFA prompt using your current mobile device. If your current phone is broken and you did not set up an alternative backup method, please contact ServiceLine.

4. Click on 'Security Info

""
  
5. Click on 'Add Method'  

""
  
6. Select 'Authentication App'  

""
  
7. Click 'Add'

8. On your new phone download the Microsoft Authenticator App for iOS or Android 

""
  
9. On the Microsoft Authenticator app on your phone follow the instructions to 'Add Work Account'. If prompted, allow the app to take pictures and record videos.  

This will give you the ability to scan the QR code on the next screen. 

""
  
10. Return to this screen on your computer and press 'Next

""
  
If you allow notifications, you will be able to get the pop-up 'Approve' or 'Decline' notifications. Otherwise, you will have to enter the 6-digit code each time.

11. Click 'Next'

12. Using the camera on your mobile device, scan the QR code which is displayed on the screen. 

""
  
13. On the Microsoft Authenticator app on your phone press 'Approve'. You will then see the account added to your new mobile device. 

""
  
14. Back on this screen, you will see your new device added. You can now safely delete your old device from this list.

""

 

What to do whether you lose your phone or your phone is broken

Please contact ServiceLine if:

  • you lose your phone 
  • your current phone is broken and you did not setup an alternative backup method (for example a landline number to login with MFA). 

 

Video tutorials

Back to the top

 

7. Frequently Asked Questions (FAQs) on MFA

I am travelling overseas and I have chosen to get my code by call or text. Is there anything I should know?

We recommend you change your MFA set-up and receive your code via the Microsoft Authenticator app, at least for the period you're away.

 

How to use MFA if you are going abroad

If you are leaving the country or are planning to do it, you may need to change your Multi-Factor Authentication (MFA) set up for it to work properly with no phone signal or internet connection.  

What you need to do:  

  1. Go to My Sign-Ins and check which MFA methods are associated with your account.
  2. Download “Microsoft Authenticator” app.
  3. Add “Microsoft Authenticator” app as default or second sign-in method (guidance in the section “Using the Microsoft Authenticator app”).
  4. Follow the instructions listed within the section “What to do if you have no signal or Wi-Fi connection”.

Microsoft Authenticator will generate a one-time passcode which you can use instead of receiving an app notification or SMS. This action will not use the phone network or your internet connection.  

 

Can I authenticate through my smartwatch?

Yes, however setup for smartwatches is not supported by ServiceLine. If you would like to set this up yourself please see supplier documentation for Apple, Android and Garmin watches.   

 

I am having trouble scanning the QR code at setup, what should I do?

Underneath the QR code, you will see a code that you can enter into the Microsoft Authenticator app to complete the setup.

On the QR code scanning screen in the app, pick the option 'or enter code manually', enter the code, then hit finish.

 

I cannot seem to download the MFA app

If your iPhone or iPad is using iOS 10 or below you will not be able to use the app. If it is an Android device using Android 5 or below that will also not be supported by the app.  

If you can’t download the Microsoft Authenticator App, you can use the alternative text message or phone call for authentication. 

 

I am not able to access my email account from Apple Mail after enabling MFA

MFA using Apple Mail only works on macOS Mojave or higher. Earlier versions such as 'High Sierra' do not support MFA. If this is a University provide Mac and is running High Sierra or lower, please contact ServiceLine to arrange a time for us to upgrade your system.

What you need to do to access your email account using Mac Mail:

  1. Ensure you have enabled MFA on Subscribe
  2. Removed and re-added your account within Apple Mail. If you need guidance, read the article “How to add or delete your university email account using Outlook

If you are using an iOS device, please remember that Microsoft Outlook App is the only email client supported by iSolutions.

 

I’ve enabled MFA and now I am not receiving calendar entries or emails using my Android or Apple iOS mail client

The only iSolutions supported email client on both iOS and Android devices is the Microsoft Outlook App. This will also provide the most consistent experience for accessing your University email, calendar and contacts.

Not all native email clients support MFA. If you wish to continue using the native email client on your device (Mail/Email/Gmail):

  1. Make sure your device is fully updated
  2. Then remove and re-add your University email account. If you need guidance, read the article “How to add or delete your university email account using Outlook

If you are still unable to access the account within the app, then you will need to utilise the supported Outlook App – download it from Google Play or App Store.

 

I received an email “Your email access has been blocked” using iPhones / iPads

Some iOS users may receive an automated email with the following subject and text:

  • Subject: Your email access has been blocked.
  • Body: You are receiving this message because your IT department has blocked your email access.

This could be due to temporary conditions, like your network location.

Contact ServiceLine with any questions or concerns about this email.

Additionally, the following message may appear in your Calendar app: “Calendar Invitation - Your response to the invitation cannot be sent.”

You can fix the issue removing and re-adding the account will resolve these errors.

 

I cannot scan the QR code using my iPhone / iPad

When you choose to scan the QR code, your device can come up asking for a URL. In this case, you need to allow the Authenticator app access to the camera.

You can do it following these steps:

  1. Go to settings
  2. Select ‘Privacy’
  3. Select ‘Camera’
  4. You will now see which apps have access to the camera: unlock Authenticator

Now you can go back to Microsoft Authenticator App and scan the QR code again.

 

My desk phone number is automatically there when I look at my MFA devices, why?

This information is automatically populated as part of data synchronisation between university systems. You can safely ignore this.

 

How to use the Microsoft Authentication App in China

If you have the app installed on your mobile device you will be able to use Microsoft Authenticator to receive a verification code, but the push notification (Approve/Reject) is not supported.  

Android

If you are using an Android phone you will need to visit the Lenovo, Huawei or Samsung Galaxy Store.  You can find up-to-date information about the Microsoft Authenticator App at the page "Microsoft Authenticator availability and limitations for Android in China".

iPhone

If you are using an iPhone you need to visit the app store and download the app. 

 

What do I do when I receive my MFA authentication token?

When you have received your MFA Token you will need to complete the following steps:

Step 1 - Inform iSolutions that your token has arrived

iSolutions need to know that you have received your token. To do that, please:

  1.  Login to the ServicePortal
  2. Select the button "My Enquiries"
  3. Select the Computer Peripheral Purchasing ticket (this is your order for the token)
  4. Please type in your message to say you have received your token and send

iSolutions will set up your token within 5 days. You will then receive an email notification to say that your ticket has been closed and your token is ready to use.

Step 2 - Reboot your computer on receipt of your email

  1. Reboot (switch off and start again immediately) your computer when you receive notification that your ticket has been closed. Rebooting is important at this point as failure to do so may cause a delay in incoming email in your inbox
  2. You will be prompted to use your token when accessing applications which use MFA (for example: Global Protect (VPN), Office 365, Outlook etc)
  3. When you are logging in you will be prompted for a code:
    1. Press the on button
    2. Enter the 6 digit code from the token
    3. Each code lasts for 30 seconds and the bar on the left of the screen count down.

Step 3 - Set up a secondary method of authentication

To set up a second method of authentication, please follow the instructions in the chapter "Setting up a second method of authentication".

 

I have lost my MFA token, what do I do?

We can only allocate 1 token per person. This token is linked to your IT account.

If it is lost, stolen or needs to be replaced, please raise a ticket with ServiceLine through the Request Form. Service Line will decommission the existing token and re-issue a new one.

Back to the top

 

8. How to get help

If you need any other help with MFA or setting up a second method, please contact ServiceLine.  

The phone lines are open from 08:30 – 18:00 Monday – Friday, each day the University is open. 

Contacts

  • Calling from a University phone: dial 25656  
  • Calling from the Southampton General Hospital (SGH) site: dial 73-25656
  • If you are calling from a non-university phone: 
  • From the UK: dial 023 8059 5656  
  • From abroad: dial +44 (0)23 8059 5656  
  • Email ServiceLine through the Request Form

Back to the top

 

Related content

Subscribe

Setting up your IT account 2022 (Video)

How to add or remove your university email account using Outlook

Disable or enable cookies in your browser

Attached files:

Was this article helpful?

If you have any further comments, please put them below.

Please note that feedback is anonymous - if you require a reply or assistance, please raise a ticket via ServiceLine.


Thank you for your feedback, it is much appreciated.

Tweet This Article

Back to List

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×