Multi-Factor Authentication (MFA) in Microsoft 365
This guide will introduce you to multi-factor authentication (MFA) and how to use it for Microsoft 365 work and school accounts.
What is multi-factor authentication?
MFA is a crucial layer of security for online accounts which combines something you know (your password) with an additional factor - something you have (such as your phone) to authenticate you when logging in. You may have also seen MFA referred to as 2-factor authentication (2FA) or 2-step verification (2SV).
Requiring this additional factor makes your account more secure as it is harder for an attacker to login by guessing or stealing your password.
How does MFA work?
MFA works by generating temporary codes to a trusted device which you enter in addition to your password. These codes could be sent to you by text message or generated by an app.
You should never give these codes to anyone over the phone unless you want them to log into your account. Think carefully if anyone asks for these codes for any work or personal account as this is a common tactic of scammers.
You won’t be prompted for MFA every time you open an app, only when signing into a new device or app for the first time, and periodically after that to renew the authentication token. With Single Sign-On (SSO) you may only need to authenticate a single app for it to apply across all apps on the device. Contact IT if you get prompted frequently.
How do I set this up?
You can register new authentication methods and manage existing ones at the security info page. Save this page to your browser favourites so you have a trusted link to it.
aka.ms/mysecurityinfo
Register an authentication method by going to the security info page and clicking "Add sign-in method". Choose the method to add and proceed with the setup flow. See the sections below for help with the different methods.
![](https://eucattachment.freshservice.com/inline/attachment?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MjcwMjU4MTI1NTcsImRvbWFpbiI6ImpvaG5maW5jaGNvbXB1dGVyc2x0ZC5mcmVzaHNlcnZpY2UuY29tIiwidHlwZSI6MX0.1F0o7Ody2nOAmevRjja5VxvooQXMbN9cKDfYnD4YTH4)
MFA must be enabled by your administrator to begin protecting you but you can register authentication methods at any time. You will be contacted in advance of a rollout, with the enforcement date made known to you. If you have not registered an authentication method by the enforcement date, or if MFA is required straight away on a new account, you will be interrupted with a prompt to register like in the screenshot below. Click Next and proceed with the setup flow.
![](https://eucattachment.freshservice.com/inline/attachment?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MjcwMjU4MTI3ODIsImRvbWFpbiI6ImpvaG5maW5jaGNvbXB1dGVyc2x0ZC5mcmVzaHNlcnZpY2UuY29tIiwidHlwZSI6MX0.MTCVfsH9IXwa6EdfXD_xgIHYrMKz90zu-LVpwCePojc)
Default MFA method
Push notifications with the Microsoft Authenticator app is the recommended method to use. Ensure the default sign-in method is "Microsoft Authenticator - notification" and click the button to change this if it is not.
![](https://eucattachment.freshservice.com/inline/attachment?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MjcwMjU4MTMwMjksImRvbWFpbiI6ImpvaG5maW5jaGNvbXB1dGVyc2x0ZC5mcmVzaHNlcnZpY2UuY29tIiwidHlwZSI6MX0.F7JNeXWBLlbs815GnUpmM39BlH58DiSGx-MbrN4TsPg)
It is recommended to register multiple authentication methods so you have a backup in case something happens to your primary method. Some methods can be registered multiple times for different devices - such as the Microsoft Authenticator app, which can be registered on 5 devices!
Registering authentication methods
Use the Microsoft Authenticator app
The Microsoft Authenticator app is the recommended way to authenticate as the push notifications provide additional context and verification to reduce the risk of you getting phished. It is also the default method Microsoft will prompt you to set up through the interrupt prompt flow.
It can be installed on any supported Android or iOS device by going to the app download page and scanning the appropriate QR code for your device to jump to the store page.
You can also manually search your device's store for "Microsoft Authenticator" but be sure it is the correct app published by Microsoft as the top result is often an ad.
![](https://eucattachment.freshservice.com/inline/attachment?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MjcwMjU4MTMzMDUsImRvbWFpbiI6ImpvaG5maW5jaGNvbXB1dGVyc2x0ZC5mcmVzaHNlcnZpY2UuY29tIiwidHlwZSI6MX0.73M5S-aBBx5efuF_Dn0P7Y186XcFQJZ4brNN6cfCF20)
From the security info page, add an authenticator app and Microsoft Authenticator is the default type. Follow the instructions on screen to get to the page with the QR code.
In the authenticator app on your mobile device, add and account and choose the "Work or school account" type then "Scan QR code".
The first time you use the Microsoft Authenticator app, the work or school account may go straight to a sign-in page with no option to scan a QR code. If this happens, cancel off the sign-in page and go back to the app's home screen, then try again and you should get the option to scan a QR code.
The QR codes generated on on the setup page only work with the Microsoft Authenticator app. See the next section for instructions on setting up a third-party authenticator app.
Scan the QR code with your mobile device then proceed to the next page and approve the sign-in prompt you will get on the mobile device to complete the registration.
Be aware that Microsoft Authenticator ties the registration to your device. If you get a new phone and transfer your data across to it, you will need to manually go to the security info page and register Microsoft Authenticator on the new device before it will work. Ensure you do this while you still have access to the old device, or have a backup method registered.
Use a third-party authenticator app
A third-party authenticator app will generate simple 6-digit codes without the additional context of the Microsoft Authenticator app. This could be an app on your mobile device or computer.
Start at the security info page and add an authenticator app. Press "I want to use a different authenticator app" and proceed to the page where you can scan the QR code on your device. Then continue to the next page and enter the 6-digit code generated on your app to complete registration.
![](https://eucattachment.freshservice.com/inline/attachment?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MjcwMjU4NDgxNjMsImRvbWFpbiI6ImpvaG5maW5jaGNvbXB1dGVyc2x0ZC5mcmVzaHNlcnZpY2UuY29tIiwidHlwZSI6MX0.mSCU2tpncAE27YYZcvZyyDqhE0TxZSc9nvXpPnphsFQ)
If your app is on a device where you cannot use a camera to scan the QR code, such as a password manager on your computer, you can click the "Can't scan image?" button to reveal the seed key to generate the authentication codes. Copy this into your app and then proceed to the next page to enter the generated code and complete registration.
![](https://eucattachment.freshservice.com/inline/attachment?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MjcwMjU4NDgyNDEsImRvbWFpbiI6ImpvaG5maW5jaGNvbXB1dGVyc2x0ZC5mcmVzaHNlcnZpY2UuY29tIiwidHlwZSI6MX0.jHyl72LsdtKxb_lWDz9e6yulGfA_F5Y9bfwQAcibr7g)
Use a different authentication method
Authentication via text messages to your phone number is also available, although this is considered a weaker authentication method than authenticator apps.
To add a phone number for text message authentication from the security info page, begin by clicking "Add sign-in method" and choose the "Phone" authentication method. Follow the instructions to register and confirm your phone number.
To add a phone number from a registration interrupt prompt, click "I want to set up a different method" as shown below and then choose the "Phone" method.
![](https://eucattachment.freshservice.com/inline/attachment?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MjcwMjU5ODQyNTgsImRvbWFpbiI6ImpvaG5maW5jaGNvbXB1dGVyc2x0ZC5mcmVzaHNlcnZpY2UuY29tIiwidHlwZSI6MX0.CPWpf_rGYNJOvSu6_CBUFPB_Nnjc_n9-aF8V0Mrmlww)
Contact us
Please contact us if you have any questions or require support with the instructions in this guide.