MFA Setup and Process Overview

Summary

MFA authentication options and setup instructions

Body

What is Multi-factor Authentication (MFA)?

Multi-factor authentication, also known as two-factor authentication, is a form of authentication which provides an added layer of account protection, beyond just your password. This additional authentication helps verify a person logging into an account is authorized to access that account and greatly increases security protection of your account.


Sections

Authentication Instructions - using the Microsoft Authenticator app

MFA Setup Process

Android - Set up Microsoft Authenticator App

iPhone (iOS) - Set up Microsoft Authenticator App

Call/Text - Set up Authentication Phone Number

Add or Change Alternate Sign-in methods

Choose an Alternate Sign-In Verification Option

Changing Phone or Changing Phone Number


Instructions: Authenticating into Microsoft 365 using the Microsoft Authenticator app with number matching

Those using the Microsoft Authenticator app with Minnesota State Microsoft 365 services and connected applications use number matching for all MFA requests. Number matching helps ensure that the person requesting access into an account is the same person approving the sign in on a device.

  1. Sign into Microsoft 365 with your StarID username and password
    • Students: StarID@go.minnstate.edu
    • Employee: StarID@minnstate.eduUploaded Image (Thumbnail)
  2. The "Approve sign in request" window will appear with a 2-digit number. Uploaded Image (Thumbnail)
  3. Open your Microsoft Authenticator app and enter the 2-digit number and press YesUploaded Image (Thumbnail)

Important notes related to Microsoft Authenticator app with number matching:

  • Number matching requires the latest version of the Microsoft Authenticator app. Check the Google Play Store or Apple App Store for the latest update.
  • Number matching is not supported by Apple Watches.
  • Never approve sign in requests that you did not request or expect.

MFA Setup Process

All new accounts are automatically enrolled in multi-factor authentication. You will be prompted to complete MFA setup when you sign in to your email for the first time.

To prepare for setup, you will need to have a computer to sign in to your account and a mobile device with the Microsoft Authenticator app installed.

To help ensure you are not locked out of your account, it is important to set up one or more alternate options in the event you do not have access to your primary phone, for instance if:

  • You do not have immediate access to your primary authentication phone
  • Your phone battery is dead
  • Your primary phone device is lost, stolen or damaged
  • You get a new phone and no longer have your original primary phone number

You can find instructions for adding alternate MFA options in the section Add or Change Alternate Sign-in methods

If you are a student and staff (at the same or different institutions) your student MFA will be different than staff MFA and need to be setup separately. The Microsoft Authenticator app supports multiple MFA accounts. If you are a student at multiple institutions or staff at multiple institutions, you only need to setup MFA once for the student accounts or once for the staff accounts.

Should you encounter "Allow my organization to manage my device" it is recommended not to select this option.

Uploaded Image (Thumbnail)

None of your personal information is stored in or accessed by the Microsoft Authenticator app. It's design and purpose is solely as an authentication utility.


Android - Set up Microsoft Authenticator app

Steps to set up the Microsoft Authenticator app on your Android mobile device.

  • You will need both your Android mobile device and a computer to complete the setup.
  1. On your Android mobile device, go to the Play Store to download, install, and open the Microsoft Authenticator app.
    • Accept the Privacy Statement, Continue past "Help us improve Microsoft Authenticator"Uploaded Image (Thumbnail)
  2. If asked to "Sign in with Microsoft" select Skip at the top right of the appUploaded Image (Thumbnail)
  3. At the Authenticator home screen, tap "Add Account" at the bottom or the "+" symbol at the top rightUploaded Image (Thumbnail)
  4. Select "Work or school account" then Scan a QR code.
    • Tap Allow if prompted to "Allow Authenticator to take pictures and record video?"Uploaded Image (Thumbnail) Uploaded Image (Thumbnail) Uploaded Image (Thumbnail)
  5. Switch to your computer
    • Browse to the Microsoft Security Info page at https://aka.ms/mfasetup
      • You can also go to your Metro State email
    • Sign in with your username and StarID password
      • Student username: StarID@go.minnstate.edu
      • Employee username: StarID@minnstate.edu
    • Click Next on the prompt "More information required"Uploaded Image (Thumbnail)
  6. On the Keep your account secure page
    • Under Start by getting the app, click NextUploaded Image (Thumbnail)
    • Under Set up your account, click NextUploaded Image (Thumbnail)
    • You will now be at the Scan the QR code page, which shows the QR codeUploaded Image (Thumbnail)
  7. Switch to your Android device
    • Using the Microsoft Authenticator app, scan the QR code shown on the computer
    • After scanning the QR code, you will see an account named MNSCU with your StarIDUploaded Image (Thumbnail)
  8. Switch to your computer
    • On the Scan the QR code page, click Next
    • The next page will say "Microsoft Authenticator. Let's try it out" and show a 2-digit number.
    • A notification will be sent to your Android deviceUploaded Image (Thumbnail)
  9. Switch to your Android device
    • Open the Microsoft Authenticator app (or tap on the notification received)
    • You will be asked "Are you trying to sign in?" and prompted to enter the 2-digit number shown on the computer
    • Enter the number and tap YesUploaded Image (Thumbnail)
  10. Switch to your computer
    • You will see "Notification Approved." Click NextUploaded Image (Thumbnail)
    • You will see "Success" and a list of your MFA sign-in methods. Click DoneUploaded Image (Thumbnail)
  11. You may see a prompt to "Stay signed in?" on the computer. Click YesUploaded Image (Thumbnail)
  12. You have finished setting up MFA on your Android mobile device.

Information Security:

What should I do when I get a verification request I don’t recognize?

If you receive approval requests for access to your Office 365 and you are not actively signing in to Minnesota State O365 connected applications (in other words you did not just attempt to log in to your O365 account using your Minnesota State O365 login credentials) then deny the access.

Stay Vigilant:

  • You will not be prompted by MFA without your attempt to log in. MFA verification will never prompt you first. Do not approve or take action on any prompts if you are not logging into your account.
  • No one, including IET Services, Metropolitan State University, Minnesota State Colleges or Universities, or other entities which may appear to be related, will ever contact or prompt you to ask you to “approve” an MFA notification or ask for a verification code.  
  • Do not press # key for verification or enter verification code if you receive a voice call on your mobile device, office, or alternate phone. Ensure your spouse or trusted family doesn’t automatically enter the key(s) without checking with you first.

iPhone - Set up Microsoft Authenticator app

Steps to set up the Microsoft Authenticator app on your iPhone.

  • You will need both your iPhone and a computer to complete the setup.
  1. On your iPhone, go to the App Store to download, install, and open the Microsoft Authenticator app.
    • Accept the Privacy Statement, Continue past "Help us improve Microsoft Authenticator"Uploaded Image (Thumbnail)
  2. If asked to "Sign in with Microsoft" select Skip at the top right of the appUploaded Image (Thumbnail)
  3. At the Authenticator home screen, tap "Add Account" at the bottom or the "+" symbol at the top rightUploaded Image (Thumbnail)
  4. Select "Work or school account" the Scan a QR code
    • Tap OK if prompted "'Authenticator' Would Like to Access the Camera"Uploaded Image (Thumbnail) Uploaded Image (Thumbnail) Uploaded Image (Thumbnail)
  5. Switch to your computer
    • Browse to the Microsoft Security Info page at https://aka.ms/mfasetup
      • You can also go to your Metro State email
    • Sign in with your username and StarID password
      • Student username: StarID@go.minnstate.edu
      • Employee username: StarID@minnstate.edu
    • Click Next on the prompt "More information required"Uploaded Image (Thumbnail)
  6. On the Keep your account secure page
    • Under Start by getting the app, click NextUploaded Image (Thumbnail)
    • Under Set up your account, click NextUploaded Image (Thumbnail)
    • You will now be at the Scan the QR code page, which shows the QR codeUploaded Image (Thumbnail)
  7. Switch to your iPhone
    • Using the Microsoft Authenticator app, scan the QR code shown on the computer
    • After scanning the QR code, you will see an account named MNSCU with your StarIDUploaded Image (Thumbnail)
  8. Switch to your computer
    • On the Scan the QR code page, click Next
    • The next page will say "Microsoft Authenticator. Let's try it out" and show a 2-digit number.
    • A notification will be sent to your iPhoneUploaded Image (Thumbnail)
  9. Switch to your iPhone
    • Open the Microsoft Authenticator app (or tap on the notification received)
    • You will be asked "Are you trying to sign in?" and prompted to enter the 2-digit number shown on the computer
    • Enter the number and tap YesUploaded Image (Thumbnail)
  10. Switch to your computer
    • You will see "Notification Approved." Click NextUploaded Image (Thumbnail)
    • You will see "Success" and a list of your MFA sign-in methods. Click DoneUploaded Image (Thumbnail)
  11. You may see a prompt to "Stay signed in?" on the computer. Click YesUploaded Image (Thumbnail)
  12. You have finished setting up MFA on your iPhone.

Information Security:

What should I do when I get a verification request I don’t recognize?

If you receive approval requests for access to your Office 365 and you are not actively signing in to Minnesota State O365 connected applications (in other words you did not just attempt to log in to your O365 account using your Minnesota State O365 login credentials) then deny the access.

Stay Vigilant:

  • You will not be prompted by MFA without your attempt to log in. MFA verification will never prompt you first. Do not approve or take action on any prompts if you are not logging into your account.
  • No one, including IET Services, Metropolitan State University, Minnesota State Colleges or Universities, or other entities which may appear to be related, will ever contact or prompt you to ask you to “approve” an MFA notification or ask for a verification code.  
  • Do not press # key for verification or enter verification code if you receive a voice call on your mobile device, office, or alternate phone. Ensure your spouse or trusted family doesn’t automatically enter the key(s) without checking with you first.

Set up Authentication Phone Number

Steps to set up an authentication phone number (call or text).

  • Using the Microsoft Authenticator app is the preferred MFA method. It is more secure than using a phone call or text message.
  • You will need both access to the phone and a computer to complete the setup
  1. On your computer
    • Browse to the Microsoft Security Info page at https://aka.ms/mfasetup
      • You can also go to your Metro State email
    • Sign in with your username and StarID password
      • Student username: StarID@go.minnstate.edu
      • Employee username: StarID@minnstate.edu
    • Click Next on the prompt "More information required"Uploaded Image (Thumbnail)
  2. On the "Keep your account secure" page
    • Use the link at the bottom of the window "I want to set up a different method"Uploaded Image (Thumbnail)
  3. Under Choose a different method, select Phone and click ConfirmUploaded Image (Thumbnail)
  4. Enter your phone number and select either "Text me a code" or "Call me" and click Next
    • If you select Call me, you will receive a phone call. 
      • After a brief message, you will press "#" to approve the sign in
    • If you select Text me a code, a 6-digit code will be sent to your phoneUploaded Image (Thumbnail)
  5. Enter the code sent in a text message to your phone. Click NextUploaded Image (Thumbnail)
  6. The phone is now verified. Click Next.Uploaded Image (Thumbnail)
  7. On the Success! page, click DoneUploaded Image (Thumbnail)
  8. You may see a Stay signed in? prompt. Click YesUploaded Image (Thumbnail)

Information Security

What should I do when I get a verification request I don’t recognize?

If you receive approval requests for access to your Office 365 and you are not actively signing in to Minnesota State O365 connected applications (in other words you did not just attempt to log in to your O365 account using your Minnesota State O365 login credentials) then deny the access.

Stay Vigilant:

  • You will not be prompted by MFA without your attempt to log in. MFA verification will never prompt you first. Do not approve or take action on any prompts if you are not logging into your account.
  • No one, including IET Services, Metropolitan State University, Minnesota State Colleges or Universities, or other entities which may appear to be related, will ever contact or prompt you to ask you to “approve” an MFA notification or ask for a verification code.  
  • Do not press # key for verification or enter verification code if you receive a voice call on your mobile device, office, or alternate phone. Ensure your spouse or trusted family doesn’t automatically enter the key(s) without checking with you first.

Add or Change Alternate Sign-In Methods

Steps to add new sign in methods or change existing methods

  • It is recommended to have more than one MFA method in the event one is unavailable.
  • You will need to set up alternate MFA methods if changing phones or phone number
  • These instructions assume you are making changes to your MFA account (that you have previously set up MFA)
  1. On your computer
    • Browse to the Microsoft Security Info page at https://aka.ms/mfasetup
    • Sign in with your username and StarID password
      • Student username: StarID@go.minnstate.edu
      • Employee username: StarID@minnstate.eduUploaded Image (Thumbnail)
  2. Click "Add sign-in method"
    • Select the new method and click AddUploaded Image (Thumbnail) Uploaded Image (Thumbnail)
  3. Follow the steps for setting up the Microsoft Authenticator app or authentication phone number
  4. To change your default (primary) MFA method click Change to the right of the Default sign-in method
    • Select the new default and click ConfirmUploaded Image (Thumbnail)
  5. To delete an MFA method, click Delete next to the method you want removed.Uploaded Image (Thumbnail)

Choose an Alternate Sign-In Verification Option

How to use an alternate verification during sign-in

  • In the event you do not have the primary MFA method during sign in, you can select one of your alternates (if one has been setup)
  1. Sign into your Microsoft 365 account. 
    • For example, Metro State email
      • Student username: StarID@go.minnstate.edu
      • Employee username: StarID@minnstate.eduUploaded Image (Thumbnail)
  2. At the MFA verification screen, click "I can't use my Microsoft Authenticator app right now" or "Sign in another way"Uploaded Image (Thumbnail) 
  3. Select one of the alternate MFA methods, such as text message or phone call.Uploaded Image (Thumbnail)

New Phone or Phone Number Change

Steps to take when changing to a new phone number or a new mobile device

  • When you know ahead of time that you will be getting a new phone number or a new mobile device, there are steps to take to avoid needing to reset MFA, which is time consuming and will prevent access to your account.
  • In general, having an alternate MFA method unrelated to the phone number or device being changed will prevent losing access to your account
    • For example, add an alternate sign-in method using the phone number of a trusted family member or friend.
    • After setting up your new device, remove their phone number from your list of MFA methods

Changing phone number but not device

Changing device but not phone number

Changing device and phone number

  • Add the Microsoft Authenticator app to a different mobile device, such as a tablet, or add the phone number of a trusted family member or friend to your alternate sign-in methods
  • When you have the new device and the new phone number is active, add the Microsoft Authenticator app and the new phone number to your alternate sign-in methods
    • Delete your old phone number, old mobile device, and the phone number of a trusted family member or friend from your list of MFA methods.

If these actions are not taken prior to a changing phone numbers or changing mobile devices and you are locked out of your account please contact IET Service Desk for assistance.

Details

Details

Article ID: 143432
Created
Mon 1/23/23 1:17 PM
Modified
Wed 3/20/24 12:32 PM

Related Articles

Related Articles (1)

View MFA supported applications.