AZURE MFA CONFIGURATION AND OPERATION GUIDE

This guide serves as your source for all information regarding Azure MFA. In this guide, you will find
information on enrolling in Azure MFA, adding, removing, or modifying authentication methods,
frequently asked questions, and a troubleshooting guide to assist with issues you may have in using Azure
MFA.

Before beginning these steps, please take a moment to do the following:

1. Look at the Azure MFA Frequently Asked Questions (FAQ) guide in Section 6 of this guide.
2. Look at the Azure MFA Troubleshooting Guide in Section 7 of this guide.
3. Read the sections of this guide that are applicable to your situation before continuing.

The screenshots in this guide are provided for guidance purposes and are subject to change at any time
as the system is developed and owned by Microsoft. It is important to use best judgment was your
screen(s) and experience may vary from the screenshots provided in this guide. For any questions,
comments or concerns regarding but not limited to the content of this guide, how to improve it, and/or
Azure MFA in general, please open a ticket using Ask Red.

Welcome to Azure MFA!

 Table of Contents
1. Enroll in Microsoft Authenticator using Your Computer ............................................................................................ 3
1.1 Start the Enrollment Process ....................................................................................................................................... 3
1.2 Log in .................................................................................................................................................................................... 3
1.3 Download the Microsoft Authenticator App (iPhone) ...................................................................................... 5
1.4 Download the Microsoft Authenticator App (Android) .................................................................................... 8
1.5 Scan QR Code ................................................................................................................................................................. 10
1.6 Approve Notification Prompt ................................................................................................................................... 14
2. Enroll in Microsoft Authenticator using only a Mobile Device ............................................................................. 17
2.1 Start the Enrollment Process / Prerequisites ...................................................................................................... 17
2.2 Log in ................................................................................................................................................................................. 17
2.3 Enrollment/Activation ................................................................................................................................................. 19
3. Enroll in Azure MFA for Text or Phone-Based Passcodes Only ............................................................................ 26
4. Authenticating through Azure MFA using Alternative Methods.......................................................................... 30
5. Add, Remove, Modify and Change Default Authentication Methods ............................................................... 33
5.1 Adding an Authentication Method ........................................................................................................................ 34
5.2 Removing an Authentication Method .................................................................................................................. 37
5.3 Modifying an Authentication Method – Phone Number .............................................................................. 38
5.4 Changing the Default Authentication Method ................................................................................................. 39
6. Azure MFA Frequently Asked Questions ....................................................................................................................... 41
7. Azure MFA Troubleshooting Guide ................................................................................................................................. 44
1. Enroll in Microsoft Authenticator using Your Computer
1.1 Start the Enrollment Process
To begin the enrollment process to set up your mobile device to use Microsoft Authenticator,
please click CLICK HERE (https://aka.ms/mfasetup)

This will be done on your computer. Please note the screens in the following sections may vary
depending on your experience and if you already have a registered authentication method.

1.2 Log in
Once you have clicked the link in Section 1.1, you may or may not be prompted to log in. If you
are prompted to log in, you should see a screen like the one below. Enter your Honeywell email
address or the email address associated with your Honeywell EID account and click Next.

Now enter your password associated with that account.

Once you have entered your password, you should see the below screen. Simply click Next.

On your computer, if you are not registered, you will see the below screen. If you don’t see the
below screen, please click here for alternate steps. Depending on the type of phone you have,
please follow section 1.3 (Microsoft Authenticator app for iPhone) or section 1.4 (Microsoft
Authenticator app for Android) to enroll.
1.3 Download the Microsoft Authenticator App (iPhone)
To install Microsoft Authenticator on your iPhone, go to the App Store.

Once in the App Store, search for Microsoft Authenticator.

Tap the cloud icon (or GET button, whichever one is available) to download Microsoft
Authenticator.
Once Microsoft Authenticator has been downloaded, tap Open button.
1.4 Download the Microsoft Authenticator App (Android)
To install Microsoft Authenticator on your Android device, go to the Google Play Store.

Once in the Play Store, search for Microsoft Authenticator. You will see it show in the search
results. Tap Install when you see the screen below.
Once installed, tap Open to open the Microsoft Authenticator app.
1.5 Scan QR Code
Once the app is open, you should be greeted with the ‘Add Account’ button. Tap the ‘Add
Account’ button.
Tap ‘Work or School Account.’
Tap ‘Scan QR Code’ as shown below. Note if you are prompted to allow access to authorize
access to the camera, allow access.
Once you have authorized access to the camera, you will see this screen below. Keep this screen
on your phone as you will need your phone later to scan the QR code.
1.6 Approve Notification Prompt
On your computer, Click Next from the last screen in Section 1.2. You will see the below screen.
Since this step has already been done, click Next.

At the screen below, take your phone and scan the QR code. You should still have the scanner
up on your phone from Section 1.5. DO NOT SCAN THE QR CODE IN THIS DOCUMENT AS
THIS CODE IS NOT FOR YOUR ACCOUNT. Once you have scanned the QR code, click Next.
Once you scanned the QR code and see your phone has updated and shows “Honeywell” on
your device (you may see a six-digit code on the mobile device), click Next on the computer.

You will now get a notification prompt on your mobile device. When you see the mobile device
prompt, tap Approve. You will then see the screen below.
You will see a confirmation of your registration like the screen below. You can now close the
window.
2. Enroll in Microsoft Authenticator using only a Mobile Device
2.1 Start the Enrollment Process / Prerequisites

Since the enrollment process is being done exclusively on the mobile device, follow the steps to
download Microsoft Authenticator for your iPhone (Section 1.3) or for your Android device (1.4)
before continuing to the next section. If you are not going to use Microsoft Authenticator for the
purposes of MFA and prefer to only use SMS or phone based authentication, please proceed to
Section 3.

2.2 Log in

Once the app has been installed, open your web browser on your device and click here
(https://aka.ms/mfasetup)

Once the website is loaded, type in your Honeywell email address or the email address that is
associated with your EID.

Once you entered in your email, enter in your password as shown below.
You should see the following screen below. Simply tap Next to continue.
2.3 Enrollment/Activation

Since Microsoft Authenticator is already installed (Refer to 2.1 for mention of the prerequisites), tap
Next to continue.

One the next screen, tap the link that says “Pair your account to the app by clicking this link.”
Microsoft Authenticator will be activated. Please wait patiently for the activation process can
complete. Once it is completed, tap Next.
You will now get a notification on your mobile device. When you receive the notification, tap
Approve. When you see the Notification Approved with a green check mark, tap Next.
The next few steps you may see. However, if you don’t see the next three screenshots, you can skip
to the end of this section.

If you see the below screen, you have an option of registering a phone number. Select your country
and enter your phone number. Then select the option of how you want to receive the code (text or
call) and then tap Next.
If you selected a text message, look for the code on your device for the text. Otherwise, answer the
phone when it is called and make a note of the code to enter the phone. Once you have entered the
code in the phone, tap Next.
Tap Next to confirm the registration of your phone number.
You will get a confirmation that your device is now registered like the one below. Tap Done to
complete the process.
 3. Enroll in Azure MFA for Text or Phone-Based Passcodes Only
If you are not able to use the Microsoft Authenticator app on a mobile device, you can just register a
phone number to receive a call or a text message.

To begin, follow the steps in Section 1.1 and 1.2 up until the below screen.

Now at the bottom of the screen, you will see “I want to set up a different method” as shown below.
Then select the “Phone” and then click Confirm.
On the screen below, select your country and enter your phone number. Then select the option of
how you want to receive the code (text or call) and then tap Next.
Once you have received the passcode either by text or by phone, enter it into the screen similar to
the one below. Then click Next.
When you see the below screen, you have confirmed your phone number registration. At this point,
there’s no need to continue. By clicking Next, you’ll start the app registration process. Just simply
close the browser window to end the process.
 4. Authenticating through Azure MFA using Alternative Methods
If at any point you are unable to use the Microsoft Authenticator app on your mobile device, you can use
an alternative method to complete the MFA process. To do this, you must already have another
authentication method registered with Azure MFA. Section 5 of this guide will walk you through the
steps to enroll in additional authentication methods.

IMPORTANT NOTE: It is strongly recommended to take this step while your primary authentication
method is functional to ensure continuous access to systems and able to use MFA when required. Failure
to register another authentication method as a backup will require you to open a ticket with Ask Red if
your primary authentication method is not functional for any reason. As noted above, Section 5 of this
guide will outline the steps to register a backup authentication method.

To use an alternative method, follow the below steps.

1. Log on to the resource that is protected by Azure MFA (such as portal.office.com)

2. Type in your email address (if prompted) and click Next. If not prompted, skip to Step 3.

3. If not prompted, you will see the screen below. Type in your LDAP password and click Sign In.

4. When you see the following screen, click on “I can’t use my Microsoft Authenticator app right now”
5. If you registered another authentication method, it will show as it does in the below screenshot. In the
case below, a phone number was registered along with the Microsoft Authenticator app. Select an
alternative option to continue.

6. In this case, the text option was selected. You will see the below screen to enter in a code that was
text to your phone. Please enter in the code provided and click Verify. If it was properly typed in
within 30 seconds, you will be successfully authenticated.
IMPORTANT NOTE – If you did not enroll in a backup authentication method or if the number you see
on the screen does not match a number that is in your possession, you must open a ticket with Ask Red
for assistance.
 5. Add, Remove, Modify and Change Default Authentication Methods
In this section, you can modify your authentication methods. To do this, you should have at least one
working authentication method available in case you are prompted for MFA. You are more likely to be
prompted for MFA if you are not on VPN.

1. Open your web browser and type in https://myaccount.microsoft.com

2. If you are not currently logged in, you should see the below screen to enter in your password.
Otherwise, you can skip to Step 5.

3. If you are prompted for MFA, you should see a screen like the one below. The screen below
assumes you are using Microsoft Authenticator. If you are using Microsoft Authenticator tap
Approve on your phone to continue. If you are using SMS or another authentication method
where you must type in a code, you would type it in at this step.

4. Click on “Update Info” in the Security Info section.

You will now see the below screen. You can now add, modify, or remove an authentication method.

5.1 Adding an Authentication Method

To add an authentication method, follow the below steps:

1. In the Security Info section, click “Add Method.”

2. You will see the screen depicted below. Select the method you would like to add. For the purposes of
this guide, click “Authenticator app”.
3. Click Next. Make sure you have the Microsoft Authenticator app installed on your mobile device
before continuing. You can obtain the app from the App Store (iPhone) or the Google Play Store
(Android.)

4. Follow the instructions on the screen below on your Microsoft Authenticator app and then click Next.
5. Use your mobile device and scan the QR code on your screen. DO NOT SCAN THE QR CODE IN
THIS GUIDE AS THIS QR CODE IS NOT FOR YOUR ACCOUNT. Then click Next to continue.

6. You will see the below screen and will be prompted on your mobile device to accept the notification.
Tap “Accept” on your mobile device.
7. When you have approved the notification on your mobile device, you will see the below screen and
click Next.

8. You will be returned to the Security Info screen showing your new authentication method listed.

5.2 Removing an Authentication Method

If you are changing devices soon or just have an authentication method that is no longer valid, you
can remove its registration. To remove an authentication method currently registered on your
account, follow the below steps:

1. On the screen below, locate the method you wish to delete and click the “Delete.”
2. Click “Ok” to confirm the deletion.

5.3 Modifying an Authentication Method – Phone Number

If you have a phone number registered as an authentication method and you wish to modify it to
another number (but not adding a separate number), you can follow the below steps:

1. From the Security Info screen, find the entry for the phone number you want to modify.
2. Click the “Change” link.
3. You can modify the phone number on the following screen. Once you have modified the phone
number, you can have the system either call or send a text message to verify the number. Choose the
option and click Next.
4. You are prompted to provide the one-time passcode either by voice or by SMS. When you receive the
code, type it in the box and click Next.

5. Once the code has been verified, you will get a confirmation on the screen. Click Done to complete
the process.

5.4 Changing the Default Authentication Method

If you want to change the default way you want to authenticate (for instance, if you are currently
using a phone number for a text message or a phone call but you want to use Microsoft
Authenticator notifications as the default), follow the below steps:

1. At the main Security info screen shown below, on the line that says “Default sign-in method”, click
“Change.”
2. From the dropdown, select the authentication method you want to make the default. Once you have
selected the default method of your choice, click “Confirm.”

3. You will see a confirmation on your screen that the default method has been changed.
6. Azure MFA Frequently Asked Questions
This section is to address commonly asked questions regarding Azure MFA, Microsoft Authenticator, and
other topics It is important to review this section, along with the Troubleshooting section, to answer
questions or address issues you may have before opening a ticket with Ask Red.

Q: What is Azure MFA?

Azure MFA is a multi-factor authentication solution from Microsoft that provides an additional layer
of security during the authentication process when accessing resources such as Office 365.

Q: How does Azure MFA provide additional security during a login process?

Azure MFA provides additional security through requiring the user to complete an additional step in
the authentication process to reduce the likelihood of your account being compromised.

Q: What is the Microsoft Authenticator app?

Microsoft Authenticator is application for iPhone and Android devices that allows Azure MFA to push
an “One Time Password” notification to your device, providing the second factor in the
authentication process. When the notification arrives on your phone, you can approve or reject the
login attempt.

Q: Is Microsoft Authenticator necessary to use Azure MFA?

Yes, Microsoft Authenticator is required on your mobile device for the highest level of security while
providing the easiest user experience when using Azure MFA.

Q: Can Microsoft Authenticator be installed on a computer?

No, it cannot be installed on a computer. The app must be installed on an iPhone or an Android
device.

Q: Do I need to have a mobile device to install the Microsoft Authenticator app?

Yes, you will need a mobile device (i.e., iPhone or Android) to install Microsoft Authenticator.

Q: Can I have multiple devices with Microsoft Authenticator installed?

Yes, you can install Microsoft Authenticator on multiple devices (e.g., a company and a personal
mobile device). You will need to complete the enrollment instructions by clicking here and/or here,
depending on your user experience.

Q: If I have two devices with Microsoft Authenticator installed, will notifications come to both
devices?

Yes, when you have multiple devices with Microsoft Authenticator installed, each of those devices
will receive a notification prompt when you need to complete an authentication process. You will
only need to use one of the devices to approve the notification and complete the authentication
process.

Q: Can I use a phone number instead of using the Microsoft Authenticator app on the mobile
device?

You can use a phone number instead of the Microsoft Authenticator app. However, using the
Microsoft Authenticator app is the easiest mode to complete MFA.

Q: How is Azure MFA different from using MobilePass?

MobilePass and Azure MFA are both MFA solutions. However, when used with the Microsoft
Authenticator app, Azure MFA does not require the need to enter in token codes. In addition, you
can enroll your mobile device without being on the corporate network to request a token or an MFA
administrator to provision the token for you, as is the current situation with MobilePass.

Q: Is MobilePass being replaced by Azure MFA?

Yes. Over time, MobilePass is being phased out and Azure MFA will be used to serve Honeywell’s
MFA needs.

Q: Why are we replacing MobilePass with Azure MFA?

We are replacing MobilePass with Azure MFA to provide an easier, simpler user experience,
empowering the user to control their MFA without much administrative assistance, streamlining
various processes such as onboarding new employees and contractors, increasing account, system,
and resource security, and strengthening synergies with other Microsoft products Honeywell
currently uses just to name a few benefits. We believe these benefits that Azure MFA provides will
prove to be superior to the benefits that have been observed with MobilePass.

Q: What is the timeline to replace MobilePass with Azure MFA?

We are currently engaged in a pilot of the Azure MFA solution. At this time, Azure MFA is being
used for Azure-related apps but this will expand as the footprint of the solution expands. We expect
to begin mass enrollment of Azure MFA during the second half of 2021.

Q: I currently have a MobilePass token on my computer. Does Azure MFA have a similar
arrangement?

No. Azure MFA does not support tokens on a computer.

Q: Can I use MobilePass and Azure MFA at the same time?

Yes. During this transition period, some resources that are protected by MFA will still be protected
by MobilePass. Microsoft-related products and solutions, such as Office 365, will be protected by
Azure MFA. However, going forward, Azure MFA will be the primary MFA solution for Honeywell.

Q: I want to enroll in Azure MFA. How do I enroll?

You can obtain the instructions on how to enroll in Azure MFA by clicking here. If you do not have
access to a computer to enroll, please use Section 2 to enroll.

Q: The screens provided in the instructions do not match what I see on my screen. What
should I do?

If the enrollment instructions do not align with what you see on your screen, you may already be
enrolled. Please see Section 5 to make other changes to your enrolled authentication methods.

Q: I do not have a Honeywell-issued mobile device. Can I use Azure MFA on my personal
device?

Absolutely! You can use your personal mobile device by downloading Microsoft Authenticator and
completing the enrollment instructions here.

Q: Is it mandatory to use my personal phone to install Microsoft Authenticator?

No, you are NOT required to use your personal device. You are free to use any supported device. If
you choose to not install the app on your personal device and you do not have a Honeywell device,
an alternative method will be available to use to perform MFA.

Q: If I use my personal device for Azure MFA by installing Microsoft Authenticator, will any of
my personal information be collected?

According to Microsoft, the Microsoft Authenticator app collects three types of data – account
information you provide, diagnostic data, and non-personally identifiable data. None of this data is
sent to Microsoft until you specifically choose to “Send Feedback” in the app. For more details from
Microsoft, click here and scroll to the section named “Delete Stored Data.”

Q: I see an option to “Enable Phone sign-in.” Should I enable this?

This is a passwordless feature that Microsoft has implemented to replace passwords. However, this is
not enabled or in use at Honeywell. You cannot activate or use this feature.

Q: Who can I contact if I have further questions on Azure MFA?

Please open a ticket with the Ask Red with any questions.
7. Azure MFA Troubleshooting Guide
This section provides guidance for you to diagnose an issue you may be having with Azure MFA.
Please review the various issues in this guide and see if it is applicable to your situation. Attempt the
steps noted in the “What to Do” column. If you are still having issues, use Ask Red to open a ticket
so your issue can be addressed.
Issue
I am new to Honeywell and I have been issued a
mobile device and a laptop.
I am new to Honeywell and I have not been issued
a mobile device. I may or may not have a laptop.
I am new to Honeywell and was issued a mobile
device and/or laptop. However, I am having issues
logging into the system and/or to the Microsoft
portal to start the enrollment process.
I have a new phone with the same number and I
only had Microsoft Authenticator previously
registered. I can no longer use Microsoft
Authenticator.
I have a new phone with the same number. I
previously registered my device for Microsoft
Authenticator as well as my phone number. I can
no longer use Microsoft Authenticator.
I have a new phone and a different number. I have
previously enrolled in Microsoft Authenticator and
cannot log into Teams, Outlook, etc.
I have a new phone and a different number. I
previously used MobilePass and do not have my
MobilePass token on my mobile device.
My phone was reset or wiped. I am now unable to
use Microsoft Authenticator to log in. I did not
register my phone number as a backup
authentication method.
What to Do
Please complete the enrollment process by
following the steps in Section 1 or 2 of this guide.
Please complete the enrollment process by
following the steps in Section 1 or 2 of this guide.
If you have a personal computer you’d like to
complete the enrollment on, then follow the steps
in Section 1.
Please open a ticket through Ask Red to get your
issue resolved.
Please open a ticket through Ask Red to get your
issue resolved.
Please follow the steps in Section 4 to
authenticate using a text message. Once
completed, then use Section 5 to remove your old
device and register your new device.
Please open a ticket through Ask Red to get your
issue resolved.
Please open a ticket through Ask Red to get your
issue resolved.
Please open a ticket through Ask Red to get your
issue resolved.
My phone was reset or wiped. I am unable to use
Microsoft Authenticator to log in. I have a phone
number registered before my phone was reset or
wiped.
I am trying to register my device for Microsoft
Authenticator but I am getting a MobilePass
prompt and do not have a MobilePass token.
I am trying to register my device for Microsoft
Authenticator but I am getting a MobilePass
prompt and I have a functional MobilePass token.
I have registered my device for Microsoft
Authenticator but I am getting a MobilePass
prompt when I am logging in and required to use
MFA.
I have been migrated to InTune from AirWatch on
my company mobile device.
My device has been registered for Microsoft
Authenticator but I have previously rejected a
login attempt at some point. Now I cannot log in
at all.
I am not getting any notification prompts on my
mobile device.
I have registered two devices for Microsoft
Authenticator. Both devices are active and used
but only one is receiving notification prompts.
Please follow the steps to Section 4 to
authenticate using a text message. Once
completed, then use Section 5 to remove
Microsoft Authenticator and re-register your new
device.
Log onto VPN or be at Honeywell facility to
register your device for Microsoft Authenticator.
If you’re not able to get on VPN or be at a
Honeywell facility, please open a ticket through
Ask Red to get your issue resolved.
Since you have a functioning MobilePass token,
please use the MobilePass token to complete the
authentication process and continue the
registration process for Azure MFA.
You did not wait long enough as noted in Section
1. Please wait 15-30 minutes before attempting to
log in.
If you still receive a MobilePass prompt at that
time, please open a ticket through Ask Red to get
your issue resolved.
Please complete the enrollment process by
following the step in Section 1 before accessing
the InTune portal.
Please open a ticket through Ask Red to get your
issue resolved.
Please verify the following:
1. You have a data/network/WI-Fi
connection on your mobile device.
2. Your notifications are enabled on your
mobile device.
3. Your mobile device is not on “Do Not
Disturb” or an equivalent mode.
 4. Your mobile device does not have
applications that suppress notifications.

If all of these have been verified, restart your

mobile device and try again.

If all the above fails, please open a ticket through

Ask Red to get your issue resolved.

I would like to stop using Azure MFA. Since MFA is a security requirement, you cannot
stop using or disable MFA.

I would like to set up Azure MFA on my computer This situation is addressed in Section 6 of this
like having a MobilePass token on my computer. guide.