AZURE MFA CONFIGURATION AND

OPERATION GUIDE
This guide serves as your source for all information regarding Azure MFA. In this guide, you
will find information on enrolling in Azure MFA, adding, removing, or modifying
authentication methods, frequently asked questions, and a troubleshooting guide to assist
with issues you may have in using Azure MFA.

Before beginning these steps, please take a moment to do the following:

1. Look at the Azure MFA Frequently Asked Questions (FAQ) guide in Section 6 of this guide.
2. Look at the Azure MFA Troubleshooting Guide in Section 7 of this guide.
3. Read the sections of this guide that are applicable to your situation before continuing.

The screenshots in this guide are provided for guidance purposes and are subject to
change at any time as the system is developed and owned by Microsoft. It is important to
use best judgment was your screen(s) and experience may vary from the screenshots
provided in this guide. For any questions, comments or concerns regarding but not limited
to the content of this guide, how to improve it, and/or Azure MFA in general, please open a
ticket using Service Now.

Welcome to Azure MFA!

 Table of
Contents
1. Enroll in Microsoft Authenticator using Your Computer....................................................3
1.1 Start the Enrollment Process.....................................................................................3
1.2 Log in........................................................................................................................ 3
1.3 Download the Microsoft Authenticator App (iPhone).................................................5
1.4 Download the Microsoft Authenticator App (Android)................................................8
1.5 Scan QR Code.......................................................................................................... 10
1.6 Approve Notification Prompt....................................................................................14
2. Enroll in Microsoft Authenticator using only a Mobile Device.........................................17
2.1 Start the Enrollment Process / Prerequisites............................................................17
2.2 Log in...................................................................................................................... 17
2.3 Enrollment/Activation.............................................................................................. 19
3. Enroll in Azure MFA for Text or Phone-Based Passcodes Only........................................26
4. Authenticating through Azure MFA using Alternative Methods.......................................30
5. Add, Remove, Modify and Change Default Authentication Methods...............................33
5.1 Adding an Authentication Method...........................................................................34
5.2 Removing an Authentication Method.......................................................................37
5.3 Modifying an Authentication Method – Phone Number............................................38
5.4 Changing the Default Authentication Method..........................................................39
6. Azure MFA Frequently Asked Questions.........................................................................41
7. Azure MFA Troubleshooting Guide..................................................................................44
1. Enroll in Microsoft Authenticator using Your Computer
1.1 Start the Enrollment Process
To begin the enrollment process to set up your mobile device to use Microsoft
Authenticator, please click CLICK HERE (https://aka.ms/mfasetup)

This will be done on your computer. Please note the screens in the following sections
may vary depending on your experience and if you already have a registered
authentication method.

1.2 Log in
Once you have clicked the link in Section 1.1, you may or may not be prompted to
log in. If you are prompted to log in, you should see a screen like the one below.
Enter your Rich’s email address or the email address associated with your Rich’s
EID account and click Next.

Now enter your password associated with that account.

Once you have entered your password, you should see the below screen. Simply click Next.

On your computer, if you are not registered, you will see the below screen. If you
don’t see the below screen, please click here for alternate steps. Depending on the
type of phone you have, please follow section 1.3 (Microsoft Authenticator app for
iPhone) or section 1.4 (Microsoft Authenticator app for Android) to enroll.
1.3 Download the Microsoft Authenticator App (iPhone)
To install Microsoft Authenticator on your iPhone, go to the App Store.

Once in the App Store, search for Microsoft Authenticator.

Tap the cloud icon (or GET button, whichever one is available) to download Microsoft
Authenticator.
 Once Microsoft Authenticator has been downloaded, tap the Open button.

1.4 Download the Microsoft Authenticator App (Android)

To install Microsoft Authenticator on your Android device, go to the Google Play Store.

Once in the Play Store, search for Microsoft Authenticator. You will see it show in the
search results. Tap Install when you see the screen below.
Once installed, tap Open to open the Microsoft Authenticator app.
1.5 Scan QR Code
Once the app is open, you should be greeted with the ‘Add Account’ button. Tap the
‘Add Account’ button.
Tap ‘Work or School Account.’

Tap ‘Scan QR Code’ as shown below. Note if you are prompted to allow access to authorize
access to the camera, allow access.
Once you have authorized access to the camera, you will see this screen below.
Keep this screen on your phone as you will need your phone later to scan the QR
code.
1.6 Approve Notification Prompt
On your computer, Click Next from the last screen in Section 1.2. You will see the
below screen. Since this step has already been done, click Next.

At the screen below, take your phone and scan the QR code. You should still have
the scanner up on your phone from Section 1.5. DO NOT SCAN THE QR CODE
IN THIS DOCUMENT AS THIS CODE IS NOT FOR YOUR ACCOUNT. Once you
have scanned the QR code, click Next.
Once you scanned the QR code and see your phone has updated and shows “Rich” on
your device (you may see a six-digit code on the mobile device), click Next on the
computer.

You will now get a notification prompt on your mobile device. When you see the
mobile device prompt, tap Approve. You will then see the screen below.
You will see a confirmation of your registration like the screen below. You can now
close the window.
2. Enroll in Microsoft Authenticator using only a Mobile Device
2.1 Start the Enrollment Process / Prerequisites

Since the enrollment process is being done exclusively on the mobile device, follow the
steps to download Microsoft Authenticator for your iPhone (Section 1.3) or for your
Android device (1.4) before continuing to the next section. If you are not going to use
Microsoft Authenticator for the purposes of MFA and prefer to only use SMS or phone
based authentication, please proceed to Section 3.

2.2 Log in
Once the app has been installed, open your web browser on your device
and click here (https://aka.ms/mfasetup)

Once the website is loaded, type in your Rich’s email address or the email address that
is associated with your EID.

Once you entered in your email, enter in your password as shown below.
You should see the following screen below. Simply tap Next to continue.
2.3 Enrollment/Activation
Since Microsoft Authenticator is already installed (Refer to 2.1 for mention of the
prerequisites), tap Next to continue.

One the next screen, tap the link that says “Pair your account to the app by
clicking this link.” Microsoft Authenticator will be activated. Please wait patiently
for the activation process can complete. Once it is completed, tap Next.
You will now get a notification on your mobile device. When you receive the notification,
tap Approve. When you see the Notification Approved with a green check mark, tap
Next.
The next few steps you may see. However, if you don’t see the next three screenshots, you
can skip
to the end of this section.

If you see the below screen, you have an option of registering a phone number. Select
your country and enter your phone number. Then select the option of how you want to
receive the code (text or call) and then tap Next.
If you selected a text message, look for the code on your device for the text. Otherwise,
answer the phone when it is called and make a note of the code to enter the phone.
Once you have entered the code in the phone, tap Next.
Tap Next to confirm the registration of your phone number.
You will get a confirmation that your device is now registered like the one below. Tap
Done to complete the process.
 3. Enroll in Azure MFA for Text or Phone-Based Passcodes Only
If you are not able to use the Microsoft Authenticator app on a mobile device, you can just
register a phone number to receive a call or a text message.

To begin, follow the steps in Section 1.1 and 1.2 up until the below screen.

Now at the bottom of the screen, you will see “I want to set up a different method” as
shown below. Then select the “Phone” and then click Confirm.
On the screen below, select your country and enter your phone number. Then select the
option of how you want to receive the code (text or call) and then tap Next.
Once you have received the passcode either by text or by phone, enter it into the
screen similar to the one below. Then click Next.
When you see the below screen, you have confirmed your phone number registration.
At this point, there’s no need to continue. By clicking Next, you’ll start the app
registration process. Just simply close the browser window to end the process.
 4. Authenticating through Azure MFA using Alternative Methods
If at any point you are unable to use the Microsoft Authenticator app on your mobile device,
you can use an alternative method to complete the MFA process. To do this, you must
already have another authentication method registered with Azure MFA. Section 5
of this guide will walk you through the steps to enroll in additional authentication methods.

IMPORTANT NOTE: It is strongly recommended to take this step while your primary
authentication method is functional to ensure continuous access to systems and able to
use MFA when required. Failure to register another authentication method as a backup will
require you to open a ticket with Ask Red if your primary authentication method is not
functional for any reason. As noted above, Section 5 of this guide will outline the steps to
register a backup authentication method.

To use an alternative method, follow the below steps.

1. Log on to the resource that is protected by Azure MFA (such as portal.office.com)

2. Type in your email address (if prompted) and click Next. If not prompted, skip to Step 3.

3. If not prompted, you will see the screen below. Type in your LDAP password and click Sign In.

4. When you see the following screen, click on “I can’t use my Microsoft Authenticator app right
now”
5. If you registered another authentication method, it will show as it does in the below
screenshot. In the case below, a phone number was registered along with the Microsoft
Authenticator app. Select an alternative option to continue.

6. In this case, the text option was selected. You will see the below screen to enter in a
code that was text to your phone. Please enter in the code provided and click Verify.
If it was properly typed in within 30 seconds, you will be successfully authenticated.
IMPORTANT NOTE – If you did not enroll in a backup authentication method or if the
number you see on the screen does not match a number that is in your possession, you
must open a ticket with Ask Red for assistance.
 5. Add, Remove, Modify and Change Default Authentication Methods
In this section, you can modify your authentication methods. To do this, you should have at
least one working authentication method available in case you are prompted for MFA. You
are more likely to be prompted for MFA if you are not on VPN.

1. Open your web browser and type in https://myaccount.microsoft.com

2. If you are not currently logged in, you should see the below screen to enter in
your password. Otherwise, you can skip to Step 5.

3. If you are prompted for MFA, you should see a screen like the one below. The
screen below assumes you are using Microsoft Authenticator. If you are using
Microsoft Authenticator tap Approve on your phone to continue. If you are using
SMS or another authentication method where you must type in a code, you
would type it in at this step.

4. Click on “Update Info” in the Security Info section.

You will now see the below screen. You can now add, modify, or remove an authentication method.

5.1 Adding an Authentication Method

To add an authentication method, follow the below steps:

1. In the Security Info section, click “Add Method.”

2. You will see the screen depicted below. Select the method you would like to add. For the
purposes of
this guide, click “Authenticator app”.
3. Click Next. Make sure you have the Microsoft Authenticator app installed on your
mobile device before continuing. You can obtain the app from the App Store
(iPhone) or the Google Play Store (Android.)

4. Follow the instructions on the screen below on your Microsoft Authenticator app and then click
Next.
5. Use your mobile device and scan the QR code on your screen. DO NOT SCAN THE
QR CODE IN THIS GUIDE AS THIS QR CODE IS NOT FOR YOUR ACCOUNT.
Then click Next to continue.

6. You will see the below screen and will be prompted on your mobile device to accept the
notification.
Tap “Accept” on your mobile device.
7. When you have approved the notification on your mobile device, you will see the
below screen and click Next.

8. You will be returned to the Security Info screen showing your new authentication method listed.

5.2 Removing an Authentication Method

If you are changing devices soon or just have an authentication method that is no
longer valid, you can remove its registration. To remove an authentication method
currently registered on your account, follow the below steps:

1. On the screen below, locate the method you wish to delete and click the “Delete.”
2. Click “Ok” to confirm the deletion.

5.3 Modifying an Authentication Method – Phone Number

If you have a phone number registered as an authentication method and you wish to
modify it to another number (but not adding a separate number), you can follow the
below steps:

1. From the Security Info screen, find the entry for the phone number you want to modify.
2. Click the “Change” link.
3. You can modify the phone number on the following screen. Once you have modified the
phone number, you can have the system either call or send a text message to verify the
number. Choose the option and click Next.
4. You are prompted to provide the one-time passcode either by voice or by SMS. When
you receive the code, type it in the box and click Next.

5. Once the code has been verified, you will get a confirmation on the screen. Click Done
to complete the process.

5.4 Changing the Default Authentication Method

If you want to change the default way you want to authenticate (for instance, if you
are currently using a phone number for a text message or a phone call but you want to
use Microsoft Authenticator notifications as the default), follow the below steps:

1. At the main Security info screen shown below, on the line that says “Default sign-in
method”, click “Change.”
2. From the dropdown, select the authentication method you want to make the default.
Once you have selected the default method of your choice, click “Confirm.”

3. You will see a confirmation on your screen that the default method has been changed.
6. Azure MFA Frequently Asked Questions
This section is to address commonly asked questions regarding Azure MFA, Microsoft
Authenticator, and other topics It is important to review this section, along with the
Troubleshooting section, to answer questions or address issues you may have before
opening a ticket with Ask Red.

Q: What is Azure MFA?

Azure MFA is a multi-factor authentication solution from Microsoft that provides an

additional layer of security during the authentication process when accessing resources
such as Office 365.

Q: How does Azure MFA provide additional security during a login process?

Azure MFA provides additional security through requiring the user to complete an
additional step in the authentication process to reduce the likelihood of your account
being compromised.

Q: What is the Microsoft Authenticator app?

Microsoft Authenticator is application for iPhone and Android devices that allows Azure
MFA to push an “One Time Password” notification to your device, providing the second
factor in the authentication process. When the notification arrives on your phone, you
can approve or reject the login attempt.

Q: Is Microsoft Authenticator necessary to use Azure MFA?

Yes, Microsoft Authenticator is required on your mobile device for the highest level of
security while providing the easiest user experience when using Azure MFA.

Q: Can Microsoft Authenticator be installed on a computer?

No, it cannot be installed on a computer. The app must be installed on an iPhone or an

Android device.

Q: Do I need to have a mobile device to install the Microsoft Authenticator app?

Yes, you will need a mobile device (i.e., iPhone or Android) to install Microsoft Authenticator.

Q: Can I have multiple devices with Microsoft Authenticator installed?

Yes, you can install Microsoft Authenticator on multiple devices (e.g., a company and a
personal mobile device). You will need to complete the enrollment instructions by
clicking here and/or here, depending on your user experience.

Q: If I have two devices with Microsoft Authenticator installed, will

notifications come to both devices?

Yes, when you have multiple devices with Microsoft Authenticator installed, each of
those devices will receive a notification prompt when you need to complete an
authentication process. You will
only need to use one of the devices to approve the notification and complete the
authentication process.

Q: Can I use a phone number instead of using the Microsoft Authenticator app
on the mobile device?

You can use a phone number instead of the Microsoft Authenticator app. However,
using the Microsoft Authenticator app is the easiest mode to complete MFA.

Q: How is Azure MFA different from using MobilePass?

MobilePass and Azure MFA are both MFA solutions. However, when used with the
Microsoft Authenticator app, Azure MFA does not require the need to enter in token
codes. In addition, you can enroll your mobile device without being on the corporate
network to request a token or an MFA administrator to provision the token for you, as is
the current situation with MobilePass.

Q: Is MobilePass being replaced by Azure MFA?

Yes. Over time, MobilePass is being phased out and Azure MFA will be used to serve Rich’s
MFA needs.

Q: Why are we replacing MobilePass with Azure MFA?

We are replacing MobilePass with Azure MFA to provide an easier, simpler user
experience, empowering the user to control their MFA without much administrative
assistance, streamlining various processes such as onboarding new employees and
contractors, increasing account, system, and resource security, and strengthening
synergies with other Microsoft products Rich currently uses just to name a few
benefits. We believe these benefits that Azure MFA provides will prove to be superior
to the benefits that have been observed with MobilePass.

Q: What is the timeline to replace MobilePass with Azure MFA?

We are currently engaged in a pilot of the Azure MFA solution. At this time, Azure
MFA is being used for Azure-related apps but this will expand as the footprint of the
solution expands. We expect to begin mass enrollment of Azure MFA during the second
half of 2021.

Q: I currently have a MobilePass token on my computer. Does Azure MFA have

a similar arrangement?

No. Azure MFA does not support tokens on a computer.

Q: Can I use MobilePass and Azure MFA at the same time?

Yes. During this transition period, some resources that are protected by MFA will still
be protected by MobilePass. Microsoft-related products and solutions, such as Office
365, will be protected by Azure MFA. However, going forward, Azure MFA will be the
primary MFA solution for Rich.

Q: I want to enroll in Azure MFA. How do I enroll?

You can obtain the instructions on how to enroll in Azure MFA by clicking here. If you do
not have access to a computer to enroll, please use Section 2 to enroll.

Q: The screens provided in the instructions do not match what I see on my

screen. What should I do?

If the enrollment instructions do not align with what you see on your screen, you may
already be enrolled. Please see Section 5 to make other changes to your enrolled
authentication methods.

Q: I do not have a Rich-issued mobile device. Can I use Azure MFA on my

personal device?

Absolutely! You can use your personal mobile device by downloading Microsoft
Authenticator and completing the enrollment instructions here.

Q: Is it mandatory to use my personal phone to install Microsoft Authenticator?

No, you are NOT required to use your personal device. You are free to use any
supported device. If you choose to not install the app on your personal device and you
do not have a Rich device, an alternative method will be available to use to perform
MFA.

Q: If I use my personal device for Azure MFA by installing Microsoft

Authenticator, will any of my personal information be collected?

According to Microsoft, the Microsoft Authenticator app collects three types of data –
account information you provide, diagnostic data, and non-personally identifiable data.
None of this data is sent to Microsoft until you specifically choose to “Send Feedback” in
the app. For more details from Microsoft, click here and scroll to the section named
“Delete Stored Data.”

Q: I see an option to “Enable Phone sign-in.” Should I enable this?

This is a passwordless feature that Microsoft has implemented to replace passwords.

However, this is not enabled or in use at Rich. You cannot activate or use this feature.

Q: Who can I contact if I have further questions on Azure MFA?

Please open a ticket with the Ask Red with any questions.
7. Azure MFA Troubleshooting Guide
This section provides guidance for you to diagnose an issue you may be having with
Azure MFA. Please review the various issues in this guide and see if it is applicable to
your situation. Attempt the steps noted in the “What to Do” column. If you are still
having issues, use Ask Red to open a ticket so your issue can be addressed.
Issue
I am new to Rich and I have been issued
a mobile device and a laptop.
I am new to Rich and I have not been
issued a mobile device. I may or may not
have a laptop.
I am new to Rich and was issued a mobile
device and/or laptop. However, I am having
issues logging into the system and/or to the
Microsoft portal to start the enrollment
process.
I have a new phone with the same
number and I only had Microsoft
Authenticator previously registered. I can
no longer use Microsoft Authenticator.
I have a new phone with the same
number. I previously registered my device
for Microsoft Authenticator as well as my
phone number. I can no longer use
Microsoft Authenticator.
I have a new phone and a different number.
I have previously enrolled in Microsoft
Authenticator and cannot log into Teams,
Outlook, etc.
I have a new phone and a different
number. I previously used MobilePass and
do not have my MobilePass token on my
mobile device.
My phone was reset or wiped. I am now
unable to use Microsoft Authenticator to
log in. I did not register my phone number
as a backup authentication method.
What to
Do
Please complete the enrollment process by
following the steps in Section 1 or 2 of this
guide.
Please complete the enrollment process by
following the steps in Section 1 or 2 of this
guide. If you have a personal computer,
you’d like to complete the enrollment on,
then follow the steps in Section 1.
Please open a ticket through Ask Red to
get your issue resolved.
Please open a ticket through Ask Red to
get your issue resolved.
Please follow the steps in Section 4 to
authenticate using a text message. Once
completed, then use Section 5 to remove
your old device and register your new
device.
Please open a ticket through Ask Red to
get your issue resolved.
Please open a ticket through Ask Red to
get your issue resolved.
Please open a ticket through Ask Red to
get your issue resolved.
My phone was reset or wiped. I am unable
to use Microsoft Authenticator to log in. I
have a phone number registered before
my phone was reset or wiped.
I am trying to register my device for
Microsoft Authenticator but I am getting a
MobilePass prompt and do not have a
MobilePass token.
I am trying to register my device for
Microsoft Authenticator but I am getting a
MobilePass prompt and I have a functional
MobilePass token.
I have registered my device for Microsoft
Authenticator but I am getting a
MobilePass prompt when I am logging in
and required to use MFA.
I have been migrated to InTune from
AirWatch on my company mobile device.
My device has been registered for
Microsoft Authenticator but I have
previously rejected a login attempt at
some point. Now I cannot log in at all.
I am not getting any notification prompts
on my mobile device.
I have registered two devices for
Microsoft Authenticator. Both devices are
active and used but only one is receiving
notification prompts.
Please follow the steps to Section 4 to
authenticate using a text message. Once
completed, then use Section 5 to remove
Microsoft Authenticator and re-register
your new device.
Log onto VPN or be at Rich facility to
register your device for Microsoft
Authenticator.
If you’re not able to get on VPN or be at
a Rich facility, please open a ticket
through Ask Red to get your issue
resolved.
Since you have a functioning MobilePass
token, please use the MobilePass token to
complete the authentication process and
continue the registration process for Azure
MFA.
You did not wait long enough as noted in
Section
1. Please wait 15-30 minutes before
attempting to log in.
If you still receive a MobilePass prompt at
that time, please open a ticket through Ask
Red to get your issue resolved.
Please complete the enrollment process
by following the step in Section 1 before
accessing the InTune portal.
Please open a ticket through Ask Red to
get your issue resolved.
Please verify the following:
1. You have a data/network/WI-
Fi connection on your mobile
device.
2. Your notifications are enabled on
your mobile device.
3. Your mobile device is not on “Do
Not Disturb” or an equivalent
mode.
 4. Your mobile device does not have
applications that suppress
notifications.

If all of these have been verified,

restart your mobile device and try
again.

If all the above fails, please open a ticket

through Ask Red to get your issue
resolved.
I would like to stop using Azure MFA. Since MFA is a security requirement, you
cannot stop using or disable MFA.

I would like to set up Azure MFA on my This situation is addressed in Section 6

computer like having a MobilePass token of this guide.
on my computer.