Microsoft Multi-Factor Authenticator (MFA) Quick Reference Guide
What is Microsoft Multi-Factor Authentication? Shared Health has introduced stronger cyber security protection for how we connect to our systems from outside of the network. This stronger protection is called Microsoft Multi-Factor Authentication (MFA). MFA protects you by requesting additional verification of your identity when attempting to access our tools or systems from outside of the office using an application on your smartphone.
With MFA, you will protect your Shared Health account with something you know (your username and password) and something you have (your smartphone). You will download the
Microsoft Authenticator app onto your personal or Shared Health managed device. This app verifies that the login attempt on your computer is legitimate.
• Personal Device: Your personal cell phone, not provided by Shared Health. • Shared Health Managed Device: This is a smartphone provided to you by Shared Health. For this QRG, this only includes Shared Health managed devices that allow use of email (data plans).
You may also enroll an additional method or device if your first choice of MFA device is unavailable. In this event, you will be prompted for MFA on your second enrolled device. Once MFA is implemented, you will be presented with the Additional Security Verification prompt upon logging into any application protected by MFA, including MS Teams, Outlook Mobile, External OWA (Outlook on the Web) or applications currently using Imprivata Two-Factor Authentication (2FA). What do I need to use MFA? What happens if I receive a sign-in notification To use MFA, you must use a mobile-enabled device (i.e. that I did not request? smartphone). The Microsoft Authenticator application is Should you receive a notification request to Approve sign-in not available on your computer. on your device when you have not requested one, press Deny. Report any suspicious activity or verification requests When will I know to use the app? to [email protected] for investigation. When MFA is required, the Microsoft Authenticator app How do I learn more? sends a push notification to your phone OR a One-Time Passcode is available if the user does not approve the push To learn more about Azure MFA, follow this notification. The six (6) digit OTP code will let the user be link https://aka.ms/mfatutor, or watch this input into the user's laptop for the requesting service. When video https://aka.ms/mfavideo. Note that the video shows registering for MFA, the user can choose either OTP or the slightly different options, as Shared Health is only using the push notification as the initial prompt. Refer to How do I Microsoft Authenticator app, and not SMS (text) messages. Receive Notifications for more information.
Microsoft Authenticator Quick Start Summary Review these summary steps to learn how to setup MFA onto your laptop and download the Microsoft Authenticator app onto your smartphone. For additional information, refer to the specified links to see the detailed process for the summary steps. 1. Sign into your computer and have your smartphone ready. 2. On your computer, go to https://aka.ms/setupsecurityinfo and sign in with your Shared Health credentials. 3. Click Add Method and select Authenticator App to generate a QR code. 4. Install the Microsoft Authenticator App on your smartphone from your app store.
September 21, 2021 1 Microsoft Multi-Factor Authenticator (MFA) Quick Reference Guide
5. Open the app on your smartphone and select Add account and then select Work or School. 6. Using the app on your smartphone, scan the QR code displayed on your computer. 7. Follow the prompts to complete the account setup. Microsoft Authenticator Detailed Instructions This section of the QRG provides you with the detailed steps for self-registration. How do I self-register with the Microsoft Authenticator app? Important: You will need both your computer and your smartphone to enroll and download the Microsoft Authenticator app. 1. On your computer, open your web browser and go to https://aka.ms/setupsecurityinfo 2. Log in with your sharedhealthmb.ca credentials (username and password). Note that if Microsoft asks you to stay signed in, click Yes. 3. Click Add a method and select Authenticator app from the list of options:
You are now prompted to download and install the Microsoft Authenticator app on your smartphone. Note – if you do not have a Shared Health managed device, you can still use your personal smartphone. This app will not use a lot of data to operate. 4. On your smartphone, go to your app store and search Microsoft Authenticator. 5. Touch Install. 6. Once downloaded, touch Open. 7. The app asks you to accept their policy statement. Touch I Agree. You are migrated to the next screen. 8. Touch Work or school account.
9. On your computer, click Next. A QR code displays. 10. Using your smartphone, scan the code using the Microsoft Authenticator app.
Note: You may switch to the Code / URL Combination. See example to the right.
11. On your laptop, click Next. The Account added successfully message appears at the bottom of the screen.
September 21, 2021 2 Microsoft Multi-Factor Authenticator (MFA) Quick Reference Guide
Important: • Depending on your smartphone settings, you may receive the message “App Lock enabled. To better protect you, we have enabled App lock by default.
• To respond to an MFA notification without having to enter your device PIN, go to the Settings inside the Microsoft Authenticator app on your smartphone (Menu| Settings), scroll down to the Security section and turn off the ‘App Lock’ setting.
12. On your computer, you are prompted to try out the MFA app.
13. On your smartphone, touch Approve within 30 seconds to complete the setup.
14. You are then prompted that the sign-in was approved.
Using the Microsoft Authenticator App This section of the QRG shows you how you will use the Microsoft Authenticator App. How do I sign into my MFA account? Signing into your account will be experienced differently when outside of the Shared Health network (e.g. at home, coffee shop, working from a hotel or airplane):
• Step 1 – Enter your Shared Health login credentials Sign into your Shared Health account like you usually would (using your username and password)
• Step 2 – Respond to prompt for a second verification Approve the notification from the Microsoft Authenticator app on your smartphone. This will complete the sign-in process
September 21, 2021 3 Microsoft Multi-Factor Authenticator (MFA) Quick Reference Guide
How do I Receive Notifications? Microsoft Authenticator app has two types of validation methods. A push notification and One-Time Passcode (OTP). The push notification requires the user to have either a data plan on their smartphone or a Wi-Fi connection in order to receive the push notification. The user simply Approves or Denies the notification without having to open the app. OTP does not require a data plan or Wi-Fi connection. The user will need to open the app and then enter the six (6) digit passcode into the requesting service on their laptop. You will receive notifications from the Microsoft Authenticator app on your smartphone OR be given a one-time user verification code from your smartphone that you must enter your web browser.
Authenticator App One-Time Password
How do I access an application using MFA? 1. You will be directed to a Microsoft page.
2. Enter your Shared Health credentials and click Next. You are directed to the Shared Health sign-in page.
3. Enter your Shared Health credentials and click Sign In. 4. MFA will prompt you either on your smartphone or as a one-time password code (when your smartphone is not available). Authenticator app request Authenticator app one-time password code
5. Once you verify your identity via the selected option, you will be granted access to the application you are need to use. Important: To add, remove or modify your available MFA methods, please refer to the “Manage MFA methods and settings” section of this document.
September 21, 2021 4 Microsoft Multi-Factor Authenticator (MFA) Quick Reference Guide
How do I change the default verification method? Once you have set up Microsoft Authenticator, you may change your preferred authentication method for your account. Upon signing into an application with your username and password, you will be presented with a security verification alert on your smartphone. This appears as a notification or verification code through the authenticator app. 1. From your web browser, go to Two options for authentication using the Microsoft https://aka.ms/setupsecurityinfo.Your default sign-in Authentication Application: method displays. • Receive notifications for verification – This option sends a notification to the authenticator app on your smartphone or tablet. You must then review the 2. Click Change. notification and, if it is legitimate, select Approve in the 3. Choose the new default from the drop-down menu. app. You may be required to enter your PIN to authenticate • Use verification code (OTP) – In this mode, the app generates a verification code that updates every 30 seconds. You must enter the most current verification code in the sign-in screen.
4. Your new default MFA method immediately applies. How do I delete my security settings? You may delete any of your configured MFA methods from the Security info page. If the Microsoft Authenticator method is deleted, you will be required to complete the entire registration process on both your smartphone and computer once again. 1. In your web browser, go to https://aka.ms/setupsecurityinfo. 2. Click the Delete link next to the MFA method you wish to delete.
3. The confirmation prompt appears. Click OK.
4. Once confirmed, a notification appears in the upper right corner of the page.
How do I sign out everywhere? You must sign out your devices via the Security Info page when your MFA enabled smartphone is lost or stolen. This will sign you out of all endpoints (but will not delete any set up MFA methods). You will have to complete the self-registration for the Microsoft Authenticator app again. 1. From your browser, go to https://aka.ms/setupsecurityinfo
2. Click Sign out everywhere.
September 21, 2021 5