Export (0) Print
Expand All

Managing your Azure Multi-Factor Authentication User Settings

Published: May 20, 2013

Updated: September 23, 2014

Managing your Azure Multi-Factor Authentication settings such as mobile phone depends on how you use Azure Multi-Factor Authentication. For example, if you are an Office 365 user, you would change your settings a different way than say if you were a Azure subscriber. The sections below describe how to change your settings depending on the subscriptions and services that you are using.

WarningWarning
App Passwords required for non-browser clientsPlease be aware that once multi-factor authentication is enabled on a user’s account, app passwords can be used with most non-browser clients such as Outlook and Lync, but administrative actions cannot be performed using app passwords through non-browser applications such as Windows PowerShell even if that user has an administrative account. Ensure you create a service account with a strong password to run Powershell scripts and do not enable that account for multi-factor authentication..

ImportantImportant
Office 2010 users cannot use the Office 365 portal to enable Multi-Factor Authentication. If you are using Office 2010, you must use the Azure portal to enable Multi-Factor Authentication.

Use the procedure below to change your Additional Security Verification settings if you are an Office 365 user but do not have a Azure subscription.

Change Office 365 settings

  1. Log on to the Office 365 portal.

  2. At the top, click the icon that looks like a little cog. This will display a drop-down that says Office 365 settings.

  3. Click on the Office 365, settings. This will open the settings page.

  4. On the left, click Password.

  5. At the bottom, to the right, click the link that says Update my phone numbers used for account security. This will open the Additional Security Verification section where you can update your phone.

Change Office 365 2

Use the procedure below to change your Additional Security Verification settings if you have a Azure subscription.

  1. Log on to the Azure portal.

  2. At the top of the Azure portal, click on your username. This will bring up a drop-down box.

  3. From the drop-down box, select Additional Security Verification. This will open the Additional Security Verification section.

Change Windows Azure Settings

Use the procedure below to change your Additional Security Verification settings if you have do not have an Office 365 or Azure subscription.

WarningWarning
Please be aware that you will only be able to edit your office phone number using the proofup page if you are a global or user admin and your account is not being synchronized with the DirSync tool.

  1. Log on to https://account.activedirectory.windowsazure.com/proofup.aspx using your org ID. This will take you directly to the Additional Security Verification page.

You can specify one contact method when you initially complete the multi-factor registration process. Follow the steps outlined in Signing in for the first time using Azure Multi-Factor Authentication to add a primary contatct method if you have not already completed the enrollment process.

Changing your contact information or adding additional contact methods is done on the additional security settings page. How to get to the additional security settings depends on your situation. See the Where to go to change your settings section earlier in this document for information on how to get to the additional security settings page.

Additional Settings 2

Once you have located the additional security settings page you can add or update your information using this page. The example below shows how to add the mobile app as a secondary contact method. Use the following procedure to configure a mobile app for your profile on the additional security verification settings page.

ImportantImportant
You should download and install the Multi-Factor Authentication app to your phone or tablet prior to attempting this step.

  1. Sign in to your account using one of the methods described above:

  2. On the additional security verification settings page, under mobile app, select the check box next to Multi-Factor Authentication appand click Configure. This will bring up the configure phone app screen.

    Configure 2

  3. On the phone that has the Multi-Factor Authentication app installed, launch the app.

  4. On the phone that has the Multi-Factor Authentication app, click the + sign to add a new account.

    authenticate

  5. On the phone that has the Multi-Factor Authentication app, click the barcode scanner button on the far right. This will launch the camera.

  6. Scan the barcode picture that came up with the configure mobile app screen.

  7. On the phone with the Multi-Factor Authentication app, a 6 digit code should be displayed. Once you see this click the check mark button on the configure mobile app screen.

    WarningWarning
    Be aware that if you are unable to scan the bar code you can enter the code and url manually. Simply enter the code and url from the configure app screen into the code and url boxes on the Multi-Factor Authentication app.

  8. Click Save.

Suspending Multi-Factor Authentication for remembered devices and browsers is a feature that allows you to suspend Multi-Factor Authentication for a set number of days after performing a successful Multi-Factor Authentication. If your administrator has enabled this feature then you can choose the option to have your device or browser remembered.

However since the you have suspended Multi-Factor Authentication on your device or browser, you should always restore Multi-Factor Authentication for your devices in case of either of the following scenarios:

  1. If your corporate account has become compromised

  2. If a remembered device is lost or stolen

ImportantImportant
This feature is implemented as a browser cookie cache. It will not work if your browser cookies are not enabled.

Use the following procedure to suspend multi-factor authentication on your device or browser.

  1. Sign-in to either the Azure portal or the Office 365 portal.

  2. When prompted to complete the Multi-Factor Authentication, place a check in Don’t ask again for x days. The number of days will have been set by your administrator.

    Remember 5
  3. That’s it, you have now suspended Multi-Factor Authentication.

There may be times where you will need to restore Multi-Factor Authentication on your devices and browsers. For example, if you corporate account has been compromised or you have lost a device or your device was stolen. When doing this, this will remove the suspension from all of your devices and browsers. You can use the following procedure to restore Multi-Factor Authentication on your devices and browsers.

  1. Restoring Multi-Factor Authentication is done on the additional security settings page. How to get to the additional security settings depends on your situation. See the Where to go to change your settings section earlier in this document for information on how to get to the additional security settings page.

  2. Under the manage multi-factor authentication for your devices, click on the restore button.

    Remember 6

  3. Once the updates have been applied, click close.

The following sections will describe App Passwords and how to use them with Azure Multi-Factor Authentication.

Non-browser apps, such as Microsoft Outlook and Microsoft Lync, currently do not support multi-factor authentication. Multi-factor authentication is enabled per user. This means that if a user has been enabled for multi-factor authentication and they are attempting to use non-browser clients, such as Outlook 2013 with Office 365, they will be unable to do so. An app password allows this to occur. An app password, is a password that is created within the Azure portal that allows the user to by-pass the multi-factor authentication and continue to use their application.

The following is a list of applications that support App Passwords.

  • Office Subscription

  • Outlook

  • Excel

  • EAS clients

  • Lync

  • Office 15

  • Word

This section will describe how a user can setup and change App Passwords. These steps must be done after the Administrator has completed the above steps. The following is a list of things to consider:

WarningWarning
App Passwords required for non-browser clients that do not support multi-factor authentication -When your account is enabled for multi-factor authentication, you will not be able to use non-browser applications such as Microsoft Outlook, Lync, and Windows PowerShell because these clients do not support multi-factor authentication. In order to continue to use your applications, you must set up App Passwords for your clients. To create or change app passwords go to http://aka.ms/mfasetup. For additional information about app passwords, see App Passwords with Azure Multi-Factor Authentication.

  • The actual password is automatically generated and is not supplied by the user. This is because the automatically generated password, is harder for an attacker to guess and is more secure.

  • Currently there is a limit of 40 passwords per user. If you attempt to create one after you have reached the limit, you will be prompted to delete one of your existing app passwords in order to create a new one.

  • It is recommended that app passwords be created per device and not per application. For example, you can create one app password for your laptop and use that app password for all of your applications on that laptop.

WarningWarning
Microsoft strongly suggests that you don’t save the app password on your machine by writing them down or pasting them into a text file, Word document, or something similar. This will make it easier for an attacker to obtain your password. It is recommended that you select Remember my credentials. This will allow your application to remember the app password and you will not have to enter it every time you sign-in.

App passwords can initially be created when you complete the enrollment process. Follow the steps outlined in Signing in for the first time using Azure Multi-Factor Authentication to add app passwords this way if you have not already completed the enrollment process. If you have already completed the enrollment process but have not setup app passwords, use the procedure below.

  1. Signing in using Azure Multi-Factor Authentication – Now that the additional security verification has been setup, login to either Office 365 or Azure using the steps outlined in Signing in using Azure Multi-Factor Authentication.

  2. Creating App Passwords – Once you have successfully signed in, navigate to the additional security verification settings page. This process will be slightly different, depending on the portal you logged into. Use either the steps outlined in Changing your Azure Multi-Factor Authentication Settings for Office 365 Users or Changing your Azure Multi-Factor Authentication Settings for Azure Users. Once you are on this page, use the procedure below to create an app password.



    Additional Settings 2

    1. At the top, click on app passwords. This will switch to the app password page.

      app password 1

    2. On the app password page, click Create.

    3. Enter a name for the app password and then click Next..

      app password 2

    4. This will generate the app password for you. Click copy password to clipboard and click Close.

      app password 3

    5. You should see your app password on the app password screen.

      app password 4

    6. Now, paste password that was copied to the clipboard into the your client, such as Outlook 2013 to login. For steps on individual applications such as Outlook and Lync see How to change the password in your email to the app password and How to change the password in your application to the app password.

      app password 6

      WarningWarning
      It is highly recommended that you check the Remember my credentials box so that you do not have to enter the app password every time you sign-in.

Once you have created app passwords, you will need to add these to your email applications such as Outlook. You may or may not get prompted by the application when using it due to something that is known as token caching. To ensure that the applications will function, use the chart below to find your application and the steps to how you change the password.

 

Application Steps

Outlook on Desktop

  1. Restart Outlook. When Outlook attempts to connect to your Office 365 account a popup will come up asking for your password.

  2. Enter the app password in the Password box.

  3. If you don't want to reenter an app password each time you use the Outlook desktop app, select the Remember password check box, and then click OK.

Mail client on Windows Phone

  1. On your phone, open Settings.

  2. Tap email+accounts.

  3. Tap your Microsoft account.

  4. Replace the password on your phone with the app password.

  5. Tap the Done icon.

Mail client on Android Phone

  1. Open the mail app on your phone.

  2. Tap Menu, and then tap Settings.

  3. Tap your Microsoft account.

  4. Tap Incoming settings (under Server settings).

  5. Replace the password on your phone with the app password.

  6. Tap Done.

Mail client on IPhone

  1. On your phone, tap Settings, and then tap Mail, Contacts, Calendars.

  2. Tap your Microsoft account.

  3. Replace the password on your phone with the app password.

  4. Tap Done.

Mail client on Blackberry

  1. On your phone, go to Setup, and then choose Email accounts.

  2. Replace the password on your phone with the app password.

  3. Tap Done.

Once you have created app passwords, you will need to add these to your applications such as Word or Excel. You may or may not get prompted by the application when using it due to something that is known as token caching. To ensure that the applications will function, use the chart below to find your application and the steps to how you change the password.

 

Application Steps

Lync 2013 on Desktop

  1. Sign out of Lync.

  2. Click Delete my sign-in info.

  3. Restart Lync

  4. Press Sign-in.

  5. Enter the app password in the Password box.

Lync on Mobile

  1. Sign out of Lync.

  2. Restart Lync

  3. Enter the app password in the Password box.

  4. Press the checkmark.

OneNote 2013 on Desktop

  1. Restart OneNote

  2. In OneNote, click File.

  3. Under Info, click Settings, and then click Sync.

  4. A sign-in dialog box appears, prompting you to enter your Windows Live ID and password.

  5. In the Email address box, enter the email address for your Microsoft account.

  6. Enter the app password in the Password box.

  7. If you don't want to reenter an app password each time you sign in, select the Sign me in automatically check box, and then click OK.

Word/Excel/PowerPoint 2013 on Desktop

  1. Restart Word/Excel/PowerPoint

  2. Open Word/Excel/PowerPoint.

  3. In the top right corner, select Switch Account.

  4. On the Sign-in page, enter your email address and click Next. This will bring up another sign-in page.

  5. On the sign-in page, enter the app password in the Password box and click Sign-in.

  6. If you don't want to reenter an app password each time you sign in, select the Keep me signed in check box, and then click OK.

Outlook 2011 on MAC

  1. Restart Outlook

  2. If Outlook prompts you to reenter your password.

  3. Click Yes.

  4. Enter the app password instead of the password for your Microsoft account.

Word/Excel/PowerPoint 2011 on MAC

  1. Restart Word/Excel/PowerPoint

  2. Enter your Microsoft account email address in the Windows Live ID box.

  3. Enter the app password instead of the password for your Microsoft account.

  4. If you don't want to reenter an app password each time you sign in to an Office app, select the Save password in my Mac OS keychain check box.

  5. Click Sign In.

OneNote 2010 on Desktop

  1. Restart OneNote

  2. In OneNote, click File.

  3. Under Info, click Settings, and then click Sync.

  4. A sign-in dialog box appears, prompting you to enter your Windows Live ID and password.

  5. In the Email address box, enter the email address for your Microsoft account.

  6. Enter the app password in the Password box.

  7. If you don't want to reenter an app password each time you sign in, select the Sign me in automatically check box, and then click OK.

Word/Excel/PowerPoint 2010 on Desktop

  1. Restart Word/Excel/PowerPoint

  2. Click File, click Save & Send, and then click Save to Web.

  3. Click Sign In.

  4. In the Email address box, enter the email address for your Microsoft account.

  5. Enter the app password in the Password box.

  6. If you don't want to reenter an app password each time you sign in, select the Sign me in automatically check box, and then click OK.

Lync 2010 on Desktop

  1. Restart Lync

  2. If Lync prompts you to reenter your password.

  3. Enter the app password instead of the password for your Microsoft account.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft