Setting up Multi-Factor Authentication on Office 365
Sections on this page:
Multi-factor Authentication and the Microsoft Authenticator app
Multi-factor authentication is the process whereby you are asked to complete an additional authentication step when logging on to your Office 365 account. In most cases it is now necessary to use the Microsoft Authenticator mobile application to complete this secondary authentication step. This application can be easily installed on your mobile device by following the links below:
https://play.google.com/store/apps/details?id=com.azure.authenticator for Android devices
https://apps.apple.com/us/app/microsoft-authenticator/id983156458 for IOS devices (iPhones)
You can also scan one of the following QR codes using your mobile phone’s camera and this will take you directly to the relevant app store for your device. Alternatively, just search for “Microsoft Authenticator” from within your device’s application store.
Apple IOS Store for iPhones
Google Play Store for Android phones
A Microsoft guide to the Authenticator app can be found at:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/end-user/current/multi-factor-authentication-end-user-first-time
The MFA Wizard
When MFA is required for your Office 365 account you will see the following prompt when you go to log on to your account. You may be given the option of skipping the MFA setup and postponing it for up to 14 days but you will eventually have to configure MFA to continue accessing your account. To set up MFA you will need to use the Microsoft Authenticator app. Select Next to proceed with setting up MFA.
You will now be prompted to install the Microsoft Authenticator app. Once you have installed this, select Next.
Now that you have the Authenticator app installed you can proceed with adding your Office 365 account to the app. Select Next.
The screen will prompt you to open the Authenticator app on your mobile device and add your O365 account by scanning the QR code which is displayed on the screen:
Authenticator application setup:
The steps within Microsoft Authenticator may vary slightly based on your phone. Open the Authenticator app and either click on the + symbol or, if you don't see this, click on the 3 dots menu option and then select 'Add account'.
You will be asked 'What kind of account are you adding?'. Select 'Work or school account':
Now select 'Scan a QR code'. This should open the camera on your mobile device. Point the camera at the QR code on the O365 MFA setup screen and the Authenticator app should now add your O365 account.
You can now select Next on the MFA setup screen and you should be sent a notification to the Authenticator app. You will see a number displayed on the screen. You will need to enter this into the Authenticator app in order to approve the request.
Once you have approved the request with the Authenticator app you will see the following confirmation screen. Select Next.
You will now receive confirmation that you have configured MFA on your account using the Authenticator app. Select Done:
Email clients
Outlook 2016/2019/2021
Outlook 2016 onwards is capable of connecting to Office 365 accounts using 'Modern Authentication'. It will ask you for your secondary authentication (MFA) details in the same way that Outlook on the web does.
Outlook 2013 supported Modern Authentication with updates and registry changes, however these are no longer supported and an upgrade to a current version of Outlook is strongly recommended.
Others
Other email applications supporting ‘Modern Authentication’ or OAUTH2 such as Windows Mail, Thunderbird, and Apple Mail should work in a similar way to Outlook and Outlook on the web.
Any other application that cannot use 'Modern Authentication'
Older email applications that do not support ‘Modern authentication’ typically require the security of the Office 365 to be decreased. As a consequence it is recommended that these are replaced with ‘Modern Authentication’ capable applications, like Outlook On The Web.
Changing your MFA choices
You may wish to alter your MFA settings. For example, you might want to register the Authenticator App on a new phone or secondary phone. You can have up to 5 Authenticator apps registered per account.
Starting from Microsoft My Account (https://myaccount.microsoft.com/), under 'Security Info' select 'Update Info':
Make a note of the current methods listed. If you have already set up MFA on your account using the Authenticator App then you should see this listed. The phone will be listed by an internal model number which may or may not be the same as the main model name of your phone.
Select '+ Add sign-in method' and from the drop-down select 'Authenticator App':
You will then be asked which Authenticator app you’re using. The recommended choice is the Microsoft Authenticator.
Now follow the steps detailed above in the The MFA Wizard steps to set up your O365 account on the Authenticator App on your new phone.
Once you have completed the setup you will see an additional Microsoft Authenticator listed on your account's 'Security Info' page. You may wish to delete the old one for security (unless you are still using it).
Don’t ask again for 60 days
When signing into your account via a browser using Outlook on the web, you may be offered the option to “Don’t ask again for ## days”, typically 60 days. If you tick the box then you are confirming that you trust the device and application you are using to sign on to your account. Once this has been selected then you will be able to log onto your account on that device/browser for the number of days stated, without requiring secondary authentication using the Microsoft Authenticator app. It is not recommended to use this option when logging on to your O365 account on machines shared with other users as it could increase the risk of other users accessing your account. Enabling this option will not affect whether you get prompted to complete secondary authentication when signing into your account on another device, or even a different application/browser on the same device.
Stay signed in?
When you sign in to your O365 account you might also see the following pop-up asking whether you want to 'Stay signed in?'. If you select Yes then you will remain signed into your account until you explicitly sign out of your account on that device/browser. If you are signing on to your account via Outlook on the web then this means that closing the browser will not end your session and log you out of your account. It is not recommended to select this option when logging on to your O365 account on machines shared with other users as it could increase the risk of other users accessing your account.
Further help
In addition to this page we also have the following help page which includes FAQs which may help with any issues and questions you have: Multi-Factor Authentication on Office 365 Help
If you still have any issues with MFA setup which you are unable to resolve then please get in touch with our Service Desk. Please note however that should you require assistance with setting up your Office 365 account on the Outlook client or other devices, we may have to refer you to your local ICT technician.