MFA and Microsoft Office 365

Will I be prompted for MFA each and every time I access Office 365 (email)?

No. Largely, the implementation will be a “set it and forget it” process.  You will be prompted occasionally and usually when using a browser or a new device to access email.

Why do I receive a "Protect Your Western University Account" message?

Full message: "Two-factor authentication enhances the security of your account by using a secondary device to verify your identity. This prevents anyone but you from accessing your account, even if they know your password. This process will help you set up your account with this added layer of protection."

This messages indicates that you are trying to sign into Office 365, but have not enrolled any devices for MFA usage.

To enroll a device and resolve this message, click the Start setup button displayed, or follow Steps 1 & 2 on our Setup MFA page.

If you require any assistance with enrolling a device, please contact the WTS Helpdesk.

Can I configure Gmail to send from my Western email account?

Gmail does not support modern authentication and therefore is not compliant with MFA. While you can still forward your office 365 inbox to Gmail and configure so that messages ‘reply to’ a western email account, it cannot send from the western email account as that requires MFA.

Can I set Office 365 to "remember me"?

Depending on the way you access your email, you may not need to use MFA every time. You generally need to complete an MFA prompt every time you are prompted to enter your password. So, for example, if you use a mobile device that doesn't normally ask you to enter your password every time you access it, you will not need to use MFA every time either.

If you are using web mail to access your email (https://MyOffice.uwo.ca), then you are entering your password every time and so you will need to use MFA every time as well. However, when you log in and are shown the MFA prompt, you can check the "Remember me for 7 days" box at the bottom of the window. This will work if you access your mail in the same browser, on the same computer / device.

MFA prompt - highlighting the "remember me for 7 days" box

If your "Remember me" option is greyed out, you will need to access your device settings in https://MyMFA.uwo.ca and change your default login action to "Ask me to choose an authentication method".

Are there any plans to incorporate "App Passwords" to allow specific apps to bypass MFA?

Western's Cyber Security team has carefully considered use of app passwords and have deemed they will not be used for Office 365 because they essentially bypass MFA.

Using Multi Factor Authentication ensures that you are logging in with something you know (credentials) and something you have (like a mobile phone or hardware token).  An unauthorized individual cannot access your account from their device even if they have your userid and passwords because they do not have access to the 2nd factor - the ‘something you have’.     Application passwords, while different than a user password, are still passwords and can be written down and used for multiple devices (in fact, Microsoft actually recommends you do this).   Use of app passwords is not in line with the objective to secure western email accounts with MFA, using the 2nd ‘something you have’ criteria.

What if my version of Outlook is not compatible with Duo MFA (such as Outlook 2013)?

If your personal device (laptop, tablet, home PC) is not at the sufficient Office level, please use the licenses available to you through myoffice.uwo.ca to upgrade your version.  Typically, Office 2016 and above are the recommended platforms for use with Duo MFA.  

 

If it is your work PC that is not compatible, please work with your local IT resource or call the Helpdesk for more information on how to upgrade your PC to the current version of Office.

Can I still use Thunderbird with MFA for Office 365?

Thunderbird Clients

Thunderbird clients are supported on a best effort basis.  If you are currently using a Thunderbird client, the following information will assist you in your setup:

For Windows users
Incoming server: outlook.office365.com – SSL/TLS – Port 993
Outgoing Server: smtp.office365.com – STARTTLS – Port 587

For Linux users
Before proceeding make sure you have a copy of your profile or any local folders.  You can find the location of them in account settings.

  • Remove the old Thunderbird app
    1. From Terminal – sudo apt remove thunderbird – when prompted hit y.
    2. From Terminal – sudo apt purge thunderbird.
  • Install Thunderbird using Snap to obtain latest version
    1. sudo snap install thunderbird
  • Open Thunderbird using applications menu
    1. Fill in email and password and choose manual config.  Set up the details as you would in Windows choosing OAuth2 as the authentication method for both incoming and outgoing.

Are there any 'open source' email clients that are compatible with Duo MFA?

Yes, there are open source email clients that are compatible with the requirements of Duo MFA. We will refrain from listing those products here as the Microsoft Office platform (including Outlook) is the recommended and preferred client software.  What you will be looking for in these open source products is the support for 'modern authentication' and the ability to connect to Exchange.

Published on  and maintained in Cascade.