Introduction

Multi-factor Authentication (MFA) is an authentication method that requires you to provide two or more verification factors to gain access to a resource. Organizations such as banks, credit card companies, and governments all around the world use MFA to secure digital assets, information and user identities to protect customer/user credentials from unauthorized use.

Royal Roads University has adopted Microsoft 365 MFA for Webmail, Remote Desktop (for staff only) and Office 365 (coming June 17, 2024). You only have to set this up once and it will work for all the applications listed.

MFA requires the Microsoft Authenticator app to be installed on a mobile device. If you do not have a mobile device please contact the RRU Help Desk.

You MUST be in Canada when setting up MFA. If you are not in Canada, please contact the RRU Help Desk before you try to setup MFA.

Who needs to set up MFA?

Everyone who will access a protected RRU resource.

Not all resources are protected yet, but this changes frequently. We highly recommend that you set up MFA so that you don’t experience an interruption in service.

What you need to know/do before you begin

Your Universal Principal Name (UPN) (like b12smith@royalroads.ca)

Note: The UPN is often referred to as the Microsoft username, Office 365 username, RRU longform username, and perhaps others. Regardless of how people refer to it, it’s your Moodle username with ‘@royalroads.ca’ added, like b12smith@royalroads.ca)

Your usual RRU password
If you already have the Microsoft Authenticator app installed on your phone, make sure it’s current.

Note: There are some scenarios where you need to use a Security key instead of using the MS Authenticator app. These are USB keys that you carry around with you. You must have it to 2nd factor authenticate when required. There is no workaround that can be implemented at the Helpdesk if you don’t have your Security Key.

If you chose this, you will have filled out a form asking us to send you a USB key. Wait for it to arrive via internal mail before you continue.

How to set up MFA preferences

Step 1 for everyone: log into your Microsoft profile

Click here to expand this section for instructions for how to log into your Microsoft profile

On a computer, please go to http://myprofile.microsoft.com

You might go straight into your Microsoft Profile without any login requirement. If so, just proceed to the next step.

Otherwise, the prompt will asks for an email address but don’t enter that.
Instead, enter your UPN and click Next

Enter your password and click the Sign in button

Step 2 for everyone: view your Security info

Click here to expand this section for instructions on how to view and update your Security information

Once you have signed in, on your computer, you’ll see a screen similar to this. Click the UPDATE INFO link on the Security info card.

If this is your first time here, your default security method is “Password”, as shown below:

If you’ve set up MFA previously, you may have a different default and you may have additional sign in methods showing here next to ‘Password’.

Step 3 for everyone: set up a method/preferences

This is it! Click here to expand this section for instructions on how to set up your 2nd factor authentication method (includes installing the MS Authenticator app).

We recommend that everyone uses the MS Authenticator app for your 2nd factor.

But employees who come to campus can opt to use a ‘Security key’. If this is you and if you received your security key in internal mail, follow the instructions for how to set up a security key as your 2nd factor, then move on to Step 4 below. Otherwise, go back to the 'What you need to know/do…” section above to request a key.

Only employees who come to campus can choose ‘Security key’. Everyone else must choose the MS Authenticator app and continue with this Step 3.

To set up the MS Authenticator app as your 2nd method, on your computer:

Watch this 3 minute video and/or follow the instructions below it:

set up the MS Auth app as 2nd factor.mp4

click + Add sign-in method
click the down arrow to the right of ‘Choose a method’
click on Authenticator app

Finally, click Add.

Note:

Do not choose a ‘phone’ option. These be phased out by Microsoft. They will be removed from this options list as soon as we are able to do so without breaking existing setups.

On your computer you’ll be prompted to get the Microsoft Authenticator app. If you installed the app already, click Next.

Did not install app yet?

If you do not have the app, please point your mobile phone camera to the appropriate QR code below. Make sure you download the Microsoft Authenticator (the icon looks like the icon in the screen shot above). Your store may “recommend” a different authenticator, however you should download the Microsoft Authenticator for the procedure to work.

Install the app and now you can click Next on your computer

You should now see the “Set up your account” screen. Please do the following on your phone before you hit next:

Open the Authenticator app
Click on the plus sign to add a new account
Choose “work or school” account

If you are using an iPhone, you may get a message asking if you have a backup.
Find out what to do before you continue.

Choose to Scan a QR code

Now hit Next on your computer

Please note that it is very important that you allow notifications from the Authenticator. So if prompted you must click “Allow”

On your computer screen you should now see a QR code similar to the window below:

Hold your phone up to view the QR code.

It will take only a minute for the set up to complete and when it does, you should see your account showing in the MS Authenticator app on your phone.

In some cases, on an iPhone, if the app was previously installed you might now get a warning about notifications. Your options will be “setup later” or “settings.

Click Settings
Select Notifications
Enable Allow notifications
Return to the Authenticator app

Back on your computer Microsoft Profile, click Next.

Your account will test the app. A number will be displayed on your computer. Enter it into your Authenticator app on your phone and click Yes to confirm it is you.

Back on your computer you should see a confirmation it was approved in your Microsoft profile, click Next

On you computer, your updated security information should look like this, with the Microsoft Authenticator app showing as your second sign-in method:

Close the browser window if your only sign-in methods are password and either MS Authenticator or Security Key. If you have “phone call” as another sign-in method, you’ll need to delete that using the optional instructions in step 4.

When you next access a resource from RRU, you may be prompted to authenticate using the app. Follow the instructions when required.

You won’t always be asked to MFA because:

not all RRU resources are MFA protected at this time
the rules behind the scenes dictate how frequently and in what circumstances you are asked to MFA

Step 4 for everyone: ensure your 2nd choice authentication method is not ‘phone’

Microsoft will soon remove all phone-related options from their list of acceptable 2nd factor authentication options. Please ensure you're not using "phone" as a default to avoid interruptions in service. Expand these instructions for the details.

In step 3, if you had only ‘password’ showing as your sign in method, you can skip step 4.

While signed in to https://myprofile.microsoft.com and while looking at the security card (refer to Step1 above if you need help getting back here):

Click the ‘Change’ link
Click the down arrow to view a list of options
Click on ‘App based authentication - notification’ as shown in the picture if you’re using the MS Authenticator app.
- If you’re an employee using a hardware token, choose that option instead.
Click the blue ‘Confirm’ button

Step 5 for everyone: delete unnecessary authentication methods (recommended, but optional)

It's a good idea to clean up your authentication methods. Microsoft will soon remove "phone" as an option. Removing it now will prevent you from selecting it later and potentially experiencing an interruption in service when Microsoft discontinues that option.

In step 3, if you had only ‘password’ showing as your sign in method, you can skip step 5.

While signed in to https://myprofile.microsoft.com and while looking at the security card (refer to Step1 above if you need help getting back here):

Click on the method you wish to delete (we’re deleting the phone method in the picture shown)

Click the ‘Delete’ link to the right of the method to be deleted
Ensure you’re on the correct line, then answer OK:

Done

Will you have to MFA often?

No, you won’t always be asked to MFA because:

not all RRU resources are MFA protected at this time
the rules behind the scenes dictate how frequently and in what circumstances you are asked to MFA

Do you have more questions not answered here?

More information can be found on this FAQ page.

Bonus: Back to where you came from?

Everyone - About Office 365 for RRU Staff, Faculty and Students

Students - Webmail access for Students

Staff/Faculty/Associate Faculty - /wiki/spaces/ITKNOW/pages/5838261

Staff/Faculty only - /wiki/spaces/ITKNOW/pages/5837595 (must login to see this content)

RRU MFA enrollment for everyone