Multifactor Authentication User Guide

MFA (multi-factor authentication) is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.

Admin: Registration options

After MFA has been set up in your organization users are required to register their account and contact information before they can unlock their account or reset a password. This contact information is used for the different authentication methods configured in the previous steps.

An administrator can manually provide this contact information, or users can go to a registration portal to provide the information themselves.

In this tutorial, configure the users to be prompted for registration when they next sign in. Once completed, to apply the registration settings, select Save.

  • On the Registration page from the menu in the left-hand side, select Yes for Require users to register when signing in. -- It's important that contact information is kept up to date. If the contact information is outdated when an SSPR event is started, the user may not be able to unlock their account or reset their password.
  • Set Number of days before users are asked to reconfirm their authentication information to 180.



Admin: How Azure MFA works

Azure Multi-Factor Authentication works by requiring two or more of the following authentication methods:

  • Something you know, typically a password.
  • Something you have, such as a trusted device that is not easily duplicated, like a phone or hardware key.
  • Something you are - biometrics like a fingerprint or face scan.

Users can register themselves for both self-service password reset and Azure Multi-Factor Authentication in one step to simplify the on-boarding experience. Administrators can define what forms of secondary authentication can be used. Azure Multi-Factor Authentication can also be required when users perform a self-service password reset to further secure that process.

Available verification methods

When a user signs into an application or service and receives a MFA prompt, they can choose from one of their registered forms of additional verification. An administrator could require registration of these.

Admin: Select Authentication Methods

​​When users need to unlock their account or reset their password, they're prompted for an additional confirmation method. This additional authentication factor makes sure that only approved SSPR (self-service password reset) events are completed. You can choose which authentication methods to allow, based on the registration information the user provides.

On the Authentication methods page from the menu in the left-hand side, set the Number of methods required to reset to 1.

To improve security, you can increase the number of authentication methods required for SSPR. Choose the Methods available to users that your organization wants to allow.

The following are accepted methods:

  • Mobile App Notification
  • Mobile App Code
  • Email
  • Mobile Phone
  • Office Phone

To Apply the authentication methods, select Save

User: Setup instructions for Microsoft Authenticator app

If your organization is using the Microsoft Authenticator app for MFA follow the instructions below to get your app setup.
  1. Go to the app store on your personal phone.
  2. Search for the Microsoft Authenticator app and install.
  3. Sign into your account and open Microsoft 365.
  4. Click on your account in the top right-hand corner and view account.
  5. Select Security info and Add sign in method or verify and choose Use an app.
  6. If you’ve already installed the app, select Next to display a QR code that appears on the screen.
  7. In the authenticator app, select [three dots] then + Add account.
  8. Choose the account type and select Scan a QR code.
  9. Scan the code shown on the screen in step 4.
  10. Select Finish on the PC to complete the setup.