Multi-factor authentication (MFA) in Microsoft 365
1. General Information
2. Multi-Factor Authentication (MFA) Setup
2.1 SMS
2.2 Microsoft Authenticator
2.3 Other Authentication Applications (Google Authenticator, etc.)
2.4 Security Key
2.5 Windows Hello
3. I don’t have MFA set up and now it’s already required – what about that?
4. FAQs
5. Information Sources
- We strongly recommend setting up more than one MFA verification method for Microsoft 365 (ideally via SMS and Microsoft Authenticator app).
- Do not delete the configured account in the authentication app on your mobile phone and do not uninstall the app; you will need them repeatedly.
- MFA configured within M365 can also be used to log into InSIS (by clicking the “Microsoft 365 Account (VŠE)” button on the InSIS login page), but not vice versa.
1. General Information
Multi-factor authentication is a way to effectively increase security on your account and prevent data leakage and loss if your access data is compromised (it is not sufficient for the attacker to know only your password and username). In addition, as part of the information infrastructure, VŠE is expanding the possibilities of the so-called Single sign-on (SSO), which in practice means that you log in to one of the systems on a particular device and then it is no longer necessary to enter your access data to log in to another system (not applicable to all of them, though).
Multi-factor authentication belongs to your account (not the device), it can be set on any computer (even outside the VŠE network), and this setting will then be taken into account when you next log in to your school account, wherever you log in. If you set up multiple MFA methods, you’ll be able to choose any method you’ve set up when signing in (and you’ll have a backup in case you forget your mobile phone, for example).
Supported methods:
method | description | when to use it |
Microsoft Authenticator | confirm login (data connection necessary) or copy the code from the application (authentication application) | the most common way; you need to install the application on your mobile (Android or iPhone); it is also possible to set up a passwordless login |
Phone (SMS) | you receive an SMS with a code | if you do not have a smart phone or emergency when replacing a mobile |
Authentication applications | copy the code from the mobile application (e.g., Google Authenticator or Authy) | you use a different authentication application or as a backup on another mobile phone |
Security key (FIDO2) | insert the security key into the computer, enter the PIN for the key; you do not have to enter the name and password | you need to purchase the security key and pair it with your M365 account |
Windows Hello | you log in to Windows using your face, fingerprint; then you do not need to enter your name and password to log in to M365/InSIS | you need a certified camera or fingerprint reader, and a TPM chip is also required; first pair Windows with your account in M365 |
At https://mysignins.microsoft.com/security-info, you can view and set up most multi-factor authentication methods. The exception is Windows Hello, which you set first on your computer and then log in to the given website. If you have an MFA method set up, the website is only accessible via MFA authentication.
2. Multi-Factor Authentication (MFA) Setup[menu]
2.1 SMS Authentication[menu]
- Prerequisites: Mobile phone capable of receiving SMS, only one phone number can be entered for the account
- login procedure: enter your username and password and then copy the 6-character code from the SMS message
>> setting up MFA authentication via SMS (click to expand instructions) <<
1. Go to https://mysignins.microsoft.com/security-info and if you are not already logged in with your school account in your browser, do so (you will be redirected to the VŠE login window and after logging, back into the administration of your Microsoft school account):
2. In the menu list on the left side of the screen, choose the Security info:
3. Click on Add login method, select the method Phone from the drop-down menu and confirm with Add:
4. Enter the phone number to which you would like to receive verification codes (note: it is not possible to use a phone number that is already used by another user for verification within the organization):
5. To verify your phone number, copy the 6-character code that was sent to you in the text message:
6. Your phone number has been added successfully:
7. The overview of the Security info will now show you the login via SMS (Phone), here you can also change the phone number or remove the multi-factor login via SMS:
2.2 Microsoft Authenticator [menu]
- prerequisites: Android or iOS smartphone; installation of Microsoft Authenticator.
- login procedure: enter your username and password and then confirm your login in Microsoft Authenticator, occasionally, you may also be prompted to enter a two-digit code generated by the login page. The mobile must have access to the Internet (data connection). If it is not so, select the Authenticator app, and then enter the code from the application.
- Note: You can set up verification via Microsoft Authenticator on multiple devices with the Android or iOS operating system and thus have a backup verification solution available in case of loss, forgetting, or breaking of your smartphone/tablet.
>> setting up MFA authentication via Microsoft Authenticator (click to expand the tutorial) <<
1. Install the Microsoft application Mobile authenticator from either Google Play (Android) or the App Store (Apple). Go to https://mysignins.microsoft.com/security-info and if you are not already logged in with your school account in your browser, do so (you will be redirected to the VŠE login window and after logging, back into the administration of your Microsoft school account):
2. In the menu list on the left side of the screen, choose the Security info:
3. Click on Add login method, select the method Authenticator app and confirm with Add :
4. If you want to set up authentication via Microsoft Authenticator, please proceed by installing the application on your smartphone via the link Download now, install the application, and click Next to continue.
5. Follow the instructions to go to Microsoft Authenticator on your smartphone, select Add Account, then select Work or School Account and finally Scan QR Code:
6. Scan the QR code displayed in the Multi-Factor Authentication Setup Wizard with your phone:
7. After successfully scanning the QR code, a test notification will be sent to your phone, please confirm it via Approve, after successfully approving the test notification, continue via Next to complete the Microsoft Authenticator setup process:
8. In the overview of the Security info, you will now see the login set via the authentication application (Microsoft Authenticator) together with the name of your phone, here it is also possible to remove this type of MFA authentication from your account:
9. If you do not have an active internet connection on your mobile phone (you do not have a data connection or a WiFi connection), select Use verification code from my mobile application when logging in, click on the account details in the Microsoft Authenticator, you will see a 6-character one-time password and write it down.
Passwordless login can also be set up using Microsoft Authenticator.
2.3 Other Authentication Applications (Google Authenticator, etc.) [menu]
- prerequisites: smartphone with Android or iOS operating system; Google Authenticator application installation or others selected by you, authentication applications; multiple authentication applications can be assigned (multiple mobile phones)
- login procedure: enter your username and password and then copy the 6-character code from the authentication application
>> MFA authentication settings via other authentication applications (click to expand the manual) <<
1. Go to https://mysignins.microsoft.com/security-info and if you are not already logged in with your school account in your browser, do so (you will be redirected to the VŠE login window and after logging, back into the administration of your Microsoft school account):
2. In the menu list on the left side of the screen, choose the Security info:
3. Click on Add login method, from the from the drop-down menu, select the method Authenticator app and confirm Add :
4. Click on I want to use a different authentication application and follow the instructions displayed. The rest of this tutorial describes the settings using Google Authenticator:
5. Follow the instructions to go to the Google Authenticator on your smartphone, click “+” “+” and select Scan QR Code:
6. Scan the QR code that will appear in the Multi-Factor Authentication setup wizard with your phone, you should now see a new entry in Google Authenticator (Prague University of Economics and B… :
7. In the setup wizard, type the 6-character code that displayed in you the Google Authenticator and click on Next to complete the Google Authenticator setup process:
8. In the overview of the Security info, you will now see the login you have set up via the authentication application, here it is also possible to remove this type of MFA authentication from your account:
2.4 Security key [menu]
- prerequisites: Windows 10 version 1903 or higher; security key with certification FIDO2 that is compatible with Microsoft
- login procedure: you can login without entering a password or as a second factor after entering a password
- Warning: the security key cannot currently be used to access Office365 on classroom workstations or school virtual desktops. We are working on the problem.
>> setting up MFA authentication via security key (click to expand instructions) <<
1. Go to https://mysignins.microsoft.com/security-info and if you are not already logged in with your school account in your browser, do so (you will be redirected to the VŠE login window and after logging, back into the administration of your Microsoft school account):
2. In the menu list on the left side of the screen, choose the Security info:
3. Click on Add login method, select the method Security Key from the drop-down menu and confirm with Add, then select USB device:
4. Follow the instructions on the screen:
5. You will then be prompted to set a PIN code :
6. Place your finger on the biometric field of your security key:
7. Enter the name of your security key, under this name you will also see it in the security methods:
8. In the overview of the Security info, you will now see the login you have set up via the Security key, here it is also possible to remove this type of MFA authentication from your account:
9. Use when logging in as the second factor – you log in with your name and password. When selecting the second factor, you select Use Windows Hello or security key.
And then the browser prompts you to insert the key (unless already inserted) and to enter the PIN to the key.
10. Login without password. This option is available when the following login screen is displayed and you select Sign-in options there.
The next step depends partly on the browser and on the specific type of the key (some have, for example, a fingerprint reader included). Usually, you will be asked to enter a PIN for your key:
And then you have to touch the key (physical presence at the key):
2.5 Windows Hello Authentication [menu]
- prerequisites: OS Windows 10 or higher; Webcam certified for Windows Hello or fingerprint reader.
Logging in with Windows Hello should be functional on most private computers running Windows 10/11. In the case of Windows integrated into the Active Directory (computers at school, computers with the Windows school image), it is only partially functional: the login to Windows using the fingerprint is functional, the MFA login to InSIS is functional, the MFA login to Moodle is not.
In the case of school Windows image it will probably be necessary to reinstall the computer – even this partial support has been installed since February 2022. If you have an older version of the school Windows on your device and you want to use Windows Hello login, you need to reinstall the device – contact the helpdesk. - login procedure: the following is a brief procedure, we will complete the detailed instructions later
- registering a computer in Azure AD – run, for example, Word, then at the top right, sign in with your Microsoft 365 account. You see computers registered to your account in the device management of your Microsoft 365 account.
- pairing Windows Hello with your account – in Windows, select Start > Settings > Accounts > Login options. And set up your login with a fingerprint or a face. You will also need to set a PIN. If you have the login set from before, set the PIN again (the same PIN may be entered). When setting up, you will be aked to log in to Microsoft 365 – and if you have set up also another MFA method, then including MFA verification.
- actual login – similar to the security key, select Login options and then Login using Windows Hello or Security Key.
Note: Windows Hello is set to a specific device, if you want to use it on multiple devices, it is necessary to make this setting on each of them separately.
3. I don’t have MFA set up and now it’s already required – what about that?[menu]
If you do not have multi-factor authentication set up within your Microsoft 365 account, you will be prompted to set it up. Only some methods are offered, primarily sending SMS or authentication applications. If you want to use another method, first set up multi-factor authentication according to the procedures above. Information on this topic can also be found in a separate article.
4. FAQs
Can I use multiple multi-factor authentication methods?
Yes, and it is the recommended solution. Although you can configure only one phone number for the account, you can have more (max. 5) Microsoft Authenticator applications (on different devices) or applications with an authentication code. You can also have multiple security keys or multiple computers with Windows Hello. Think about how you will log in if you forget your mobile phone or if it breaks.
What should I do if I lose or forget my phone/security key?
If you have set up a backup version of MFA and you have it available, then your problem is easily solved. For example, in addition to Microsoft Authenticator, you have configured the SMS sending, and so you transfer your SIM card to another mobile phone. Or your password management application supports the generation of a verification code and you have set a verification code in it.
You usually will not even need the backup variant – verification using the second factor is recorded on a trusted computer for 90 days, so it would be really unfortunate if the second factor is required of you if you forget your mobile.
If you do not have a backup login method set up and you do not have another login option, please contact the helpdesk
What are the rules for signing in on public computers, i.e. computers in computer labs, workstations and virtual desktops?
To log in to these types of public computers, for security reasons, MFA is required every time you log in to Office 365.
How do I change the default multifactor authentication method?
After logging in on the website https://mysignins.microsoft.com/security-info/, click on “ Security info ” -> “ Set the default login method ” (or “ Default login method -> Change ” ).
Assuming that you have more than one authentication method set up, you can also change the login method once in your own login dialog via the menu “Login options.”
What security key should I buy?
We tested the password-free login with security keys GoTrust Idem Key and Yubikey 5 series. You can also use the GoTrust Idem Key for logging in to the state administration websites with a high guarantee level.
Can I buy a fingerprint reader for Windows Hello?
Yes, the Windows Hello setting in the VŠE information infrastructure environment has been tested with various models of Kensington VeriMark USB readers or with Dell Wired Mouse MS819, which has a fingerprint reader.
How to choose a webcam for Windows Hello? The webcam must be certified for use with Windows Hello, of course you can also purchase an external webcam. Windows Hello settings in the VŠE information infrastructure environment have been tested with Logitech Brio and Lenovo 500 FHD webcams (note that Lenovo camera does not have integrated microphones included).
How do I use the temporary access code generated by the Helpdesk?
You can find a simple guide here.
For what services do I need to have MFA set up in M365?
The mandatory MFA in M365 so far applies to a smaller number of services. It must be used by Microsoft 365 administrators. It must be used by application administrators with M365 authentication – e.g., moodle.vse.cz or Apple School Manager. And also all users who want to log in to InSIS using authentication in relation to Microsoft 365.
We are planning to implement mandatory MFA for risky sig-ins – unusual route, unknown login properties, use of anonymous IP addresses, etc. from June 2022.
Can I set up a mandatory MFA to log in to M365?
Yes. In MS Teams, join the team mandatory-MFA using the code 8zi2hcg. In approximately 5 minutes, MFA will be required each time you sign in to Microsoft 365.
Only this MFA enforcement will secure your Microsoft 365 account from a large number of threats. If you do not do so, if your password leaks, the attacker may be able to read, for example, your school 365 Office mail.