How do I sign into my Office 365 MFA - enabled/enforced account?

Applies to: All Nerdio For Azure (NFA) Enterprise and all Nerdio Private Cloud (NPC) customers

Nerdio is tightly integrated with Office365 for secure and collaborative working. Nerdio for Azure (NFA) and Nerdio Private Cloud (NPC) customers must be connected to Office 365 accounts. Due to Microsoft licensing requirements, NFA works with Office 365 Enterprise accounts only; which includes the entire series of Enterprise licenses - E1, E3, E5, etc. You can use an existing Office 365 account or sign up for a new account. Click here to sign up for a free trial of Office 365 E3 account.

Note: An Office 365 account must have one available license.

Nerdio Admin Portal (NAP) provides various features to secure its user accounts – one of them being Office 365 MFA. If you are an IT Admin, you can enable multi-factor authentication (MFA) for each of your user’s Office 365 accounts.

With multi-factor authentication (MFA) feature in place, you can add extra layers of protection to secure your Office 365 account. Office 365 accounts with MFA implemented will be authenticated based on the following factors during sign on:

• Your username and password (the first factor—what you know),
• Your geographical location from where you are signing into Office 365 (the second factor- where you are) and
• An authentication response from a device you own (the third factor—what you have)

Together these multiple factors ensure increase security for your Office 365 account settings and resources.

Office 365 MFA can be in one of two states:

• Office 365 MFA Off or
• Office 365 MFA enable or enforce

Let us explore them one by one.

How does “Office 365 MFA off” feature work?

By default, when you create a new user, Office 365 MFA feature is disabled as shown below:

Let us understand the user workflow when “Office 365 MFA feature is OFF”.

Go to Office 365 login page (www.office.com). Enter your Office 365 login credentials and click "Sign in" button as shown below:

If you are a first time user, Office 365 will prompt you to set your time zone.

On Office 365 Homepage, click Set the time zone for your calendar link as shown below:

Using the dropdowns provided, set your Language and Time zone and click Save as shown below:

You may proceed to enjoy “Office 365” apps and features as usual as per your language and time zone preferences.

Note: In this case, your Office 365 account is protected with your credentials only.

How does “Office 365 MFA enable/enforce” feature work?

As an IT Admin, you can "enable" multi-factor authentication (MFA) for each of your user’s Office 365 accounts. If you select "Office 365 MFA Enable" option on your user account, it indicates that the user has been enrolled in MFA, but has not completed registration.

In this example below, we have edited an existing test user and have selected "Office 365 MFA- Enable" for the user account as shown below:

As an IT admin, you can send an email or text notification to the end-user (Test_user112) that Nerdio has enabled MFA on their Office 365 account. Click the "mailbox" icon next to "OFFICE 365 MFA Enable" option to enter end user's email address and contact number. Once done, click the Confirm button as shown below:

Click Save button to save the changes to the user record.

Once your admin enables your organization with multi-factor authentication (MFA), you have to set up your Office 365 account to use it. Follow steps below to set up your Office 365 account

https://support.office.com/en-us/article/set-up-2-step-verification-for-office-365-ace1d096-61e5-449b-a875-58eb3d74de14?ui=en-US&rs=en-US&ad=US and https://support.office.com/en-us/article/create-an-app-password-for-office-365-3e7c860f-bda4-4441-a618-b53953ee1183?ui=en-US&rs=en-US&ad=US

If you are an NFA or NPC customer logging into an MFA enabled Office 365, you will see the following screen:

Click Learn more link to go to Office 365 documentation page:

https://docs.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-user-troubleshoot

Click Next button.

Since Nerdio has enabled MFA on your Office 365 account, it will prompt you to provide more information to verify your identity. You will be directed to Additional security verification page as shown below:  

Enter the required information to help Office 365 verify your identity. When you finish entering the details, press Next button.

Note: Some fields are mandatory and if you fail to enter certain information, Office 365 will prompt you to enter the correct information by displaying an error message as shown below:

Enter all details correctly and click Next button. You will be directed to Step 2 of additional security verification as shown below:

Depending on the method of contacting selected in step 1, you will either receive a call or a verification code on your registered mobile. Click Verify button when done.

Once you enter the correct verification code from your mobile number, you will be directed to Step 3 of additional security verification as shown below:

Note: Some apps like Outlook, Apple Mail and Microsoft Office do not use a phone number to secure your account. Instead, you will need to use an "app password" to sign into them as shown below: 

Click Done button and you are done setting up MFA on your Office 365 account.

The next time you log in, Office 365 will prompt you to enter a passcode (sent on your mobile number) to verify your identity as shown below:

Note: Once your IT admin "enables" MFA on your account and you set up MFA on your Office 365 account by entering all the required additional information, the status of your NAP user account will change from Office 365 MFA enable -> Office 365 MFA enforced as shown below:

So the difference between MFA enable and enforce is:

Office 365 Enable option on NAP indicates that the user has been enrolled in MFA by the IT admin, but has not completed registration.

Office 365 Enforce option on NAP indicates that the user has started MFA registration and either has completed it or is being prompted to complete at sign in.