Apply MFA/2-factor authentication setup

Apply will enable Multi-Factor Authentication (MFA) for all users. Both Apply employees and guest users.

The reason why Apply wants MFA enabled is that security and increasing growing demands from the companies we interact with. DNO and AkerBP, amongst many, has already Policy’s in place forcing Apply employees to use MFA to be able to log on to their services.

Apply has migrated all IT to Visolit and as part of that project we wanted to consolidate “tools” and how we interact with our systems and services. Today you can log onto webmail, IFS, support portal, and our new Citrix solution with the same Tool, Microsoft Authenticator.

This guide will help you install Microsoft Authenticator, set it up, and be ready for MFA.

Download Microsoft Authenticator on your phone

The Microsoft Authenticator is free and can be downloaded from Google Play Store or Apple webshop.

Google Play Store: https://play.google.com/store/apps/details?id=com.azure.authenticator

Apple app store: https://apps.apple.com/us/app/microsoft-authenticator/id983156458

Make sure that is if from Microsoft Corporation and that App name is Microsoft Authenticator

A screenshot of a cell phone

Description automatically generated

If Microsoft Authenticator is already installed the green button will show Open (as in the image above), if not it will show Install.

Connect to your Apply account

On your PC, please open this website: http://aka.ms/mfasetup.

If it is the first time you access this website you will be asked to log in.

Choose your username (if displayed). If you have to write in your username, then please use the username assigned by Apply AS.

In August 2019 we changed all usernames to [email protected].

In the following image, I had to type in my assigned username to continue.

The dialog box will validate your username before it continues and will ask for the password. It will be the same password you use to log onto Apply computer or any service Apply offers.

You will be using the following URL: https://login.microsoftonline.com/common/login

If it is not HTTPS or *.microsoftonline.com* then close session and ask IT for assistance.

Next will be the following dialogue box (this can vary depending on your account settings in our Active Directory).

Click Next and you will see the following dialogue.

A screenshot of a cell phone

Description automatically generated

Change the settings so that they match the settings in the image above and then click the button Set up

Open the App Microsoft Authenticator on your cell phone

Click the 3 vertical dots in the upper right corner in the app. This will open a menu where you select + Add account. Choose Work or school account. A QR scan window will open and you use it to scan the dialog that opened when you clicked the Setup button (look at previous step in this document).

A screenshot of a cell phone

Description automatically generated

For security reasons, I have obfuscated some details in the image above. Scan the QR code and your Microsoft Authenticator app is now connected to your Apply account.

Tip

You can use Microsoft Authenticator to protect your private accounts. Facebook, Snapchat, and Linkedin to mention a few.

When this is done you will be ready to MFA authenticate towards all Apply services and systems.

MFA Enabled

Apply has configured this so that if you are login onto a computer located at any Apply office you will not have to MFA authenticate. If connected to an external network you will be required to MFA authenticate.

If you try to log on from the outside you will be required to log on using your username and password. The system will display the following dialogue box:

If you log on from a trusted device like your personal computer, you can check the “Don’t ask again for 14 days”. You should now get a notification from your cell phone asking if you want to approve that you are logging onto an Apply service/device.

I don’t have a Cell phone or not permitted to bring it with me offshore.

If you don’t have a cell phone or for some reason is not allowed to bring it with you offshore, you will be provided with a token. A token is a small device that will generate a new password every 30 seconds.

A red and white sign

Description automatically generated

In the Approve sign-in request dialogue, you will have to click on the link Sign in another way

If that’s the case, you will see the following dialogue box:

Select Use a verification code from my mobile app.

Here you will be asked to type in the 6 digit code from your Token (this is the same code as you will find in Microsoft Authenticator). When done, click verify and you are logged on.

The Token is pre-configured by IT and will be your personal device. It can not be shared as it is tied to your account.

Tip!

If you look in Microsoft Authenticator settings, you will find an option to save the sites you add to it in the Microsoft cloud. This will be done towards your Microsoft account. This means that if you have to reinstall or move to a new cell phone, then all you have to do is to connect to your Microsoft account and all registrations will appear in the Authenticator app.

Changing how security verification is done

You can choose how to verify the account login. Most people like to get a popup on the cell phone asking if it is OK to log in. Users will just need to click Confirm and you are in. In some cases, you might want an SMS or an email instead. If you want to change then go to this page: Additional security verification.

You will be asked to log in and end up at a page similar to this:

I have added my phone and a backup email address. If you look closely, my office phone is listed and I can enable MFA to that. That means I can request to validate login by being phoned up from service at Microsoft.

If you want to change how MFA notification is sent, click the Change link in the upper part of the window.

A screenshot of a cell phone

Description automatically generated

Recommended is the Microsoft Authenticator – notification. If you are a user that has a smartwatch you will be able to confirm login by touching your watch.

Cell phones and MFA

There are a large number of models and various operative systems and we have learned that on many of them, the authorization towards your Apply company email will fail each time you are requested to change password. On most models, we had to remove the account towards Apply and add it again. This is when using the built-in email client that’s part of the operative system.

So we decided to standardize on using the Microsoft app, Microsoft Outlook. That supports modern authentication and handle password change without any problems. Also, it permits Apply to make sure your cell phone has a screen lock.

A screenshot of a cell phone

Description automatically generated

Outlook app has a userfriendly interface that is recognizable compared to the Office solution you have on your workstation/laptop. Besides, it will give you access to your calendar.

This is the only solution IT will support and we recommend that you keep your cell phone updated and protected.

The Microsoft Outlook app can be installed from App store

Google Play Store: https://play.google.com/store/apps/details?id=com.microsoft.office.outlook

Apple app store: https://apps.apple.com/us/app/microsoft-outlook/id951937596

It is your cell phone and you are of course free to install any e-mail client you prefer. Our recommendation is Microsoft Outlook and that is the only one we currently support.

Install Microsoft Outlook App

Click Install when you have found the Microsoft Outlook app in your app store.

The installation might find your username as in my example above (this because I have installed the app previously. If not, you will have to type in your username ([email protected]).

Click Next

A screenshot of a cell phone

Description automatically generated

You must Activate device administration to continue.

The policy that is listed in image above is a general policy that all users has to accept to be allowed to connect to Apply e-mail account from a device that’s not part of Apply domain. Click Activate again to continue.

And your done. In the dialogue you are permitted to add more account if needed.

A screenshot of a cell phone

Description automatically generated

The app has the same features as you might have seen in Outlook on your PC. Mail is placed in two “categories” Focused and Other. Default it will display Focused. You create a new email using the blue button in the lower right corner and you can swap between calendar and email in the bottom menu. In addition, search for email on both cell phone and what's stored on the server.

From the app, you will be able to launch both Skype and Teams meetings, create a new appointment and sort the list as you prefer.

Use the Microsoft Authenticator for your private accounts.

The Authenticator can be used to secure your Facebook profile, Snapchat, Linkedin, and so forth. IM has written a guide for how to do just that at our support portal.

https://applyas.freshservice.com/support/solutions/articles/26000004792-mfa-and-why-use-it-

We urge all to use MFA/2-factor where possible as this will greatly enhance security for both us as a company and for you as our colleague. Awareness and focus on cybersecurity is something that has a lot of focus in Apply and we can all contribute by using tools and keep a keen eye on what's appearing in the mailbox.