How to enable strong authentication (MFA)

In Jamk we require strong authentication in several services. Strong authentication (MFA) allows safer login to services, as it makes it possible to prevent access to O365 account even if the ID/password is compromised. In addition to regular username and password, a separate confirmation is required using mobile app. Alternative ways are a one-time code, a text message, or a phone call. More details about why MFA is necessary can be found here.

Things to notice

After enabling MFA, some old, incompatible applications may not work. Such can be for example some phone manufacturers own customized email applications.

Jamk’s ICT services recommends following supported and tested applications:

  • Windows: Office 2016 or newer, Microsoft 365 Apps for enterprise (formerly known as Office 365 proplus)
  • Android: Microsoft Outlook
  • MacOS: Apple Mail 12 or newer, Office 2016 or newer, Microsoft 365 for Mac
  • iOS: Microsoft Outlook

General introduction to enabling MFA

  • Enabling MFA only takes few minutes.
  • You will need a mobile device to which you want to send MFA confirmation messages.
  • After starting the process, you will have few minutes to complete it. If this is not done quickly enough, the deployment may fail and the process will need to start over.

Instructions for implementing MFA:

You can enable MFA for your account by logging in to Office365 and then following instructions given there. You might also want to check frequently asked questions at the end of this page.

This page explains process with more details. You can configure MFA either by using only mobile phone or by using a combination of mobile phone and computer. For instructions on both different methods below, select the one you want.

Phone setup instructions

  1. Download the Microsoft Authenticator application to your phone.
  2. Use your phone’s browser to go to https://o365.jamk.fi
    • Log in with your Jamk email address and password
  3. Click Next on “More information required” box
  4. Select the link “Pair your account to the app by clicking this link” (picture 1)
Pair your account to the app by clicking this link
picture 1
  • The Authenticator application opens and information page appears after a while. Close the Authenticator application and return to the browser (picture 2).
    • Authenticator -sovellus
    picture 2
  • In the browser, select Next to request confirmation from your phone. By approving the request, you ensure that the connection is working (picture 3). Notice! After 12.12.2022 you may also have to type in the code that is displayed on login page.
    • hyväksymispyyntö puhelimeen
    picture 3
  • You will receive the “Notification approved” message, click Next
  • You will receive a “Success” message. Configuration is now complete
  • You may close the browser at this point. If you press “Done”, the browser will go to the setup/details page

    • Phone and computer setup instructions

    1. Download the Microsoft Authenticator application to your phone.
      • The app can be found in the Android Play Store and the Apple App Store.
    2. Launch the Microsoft Authenticator application you installed
      • If you are launching the program for the first time, select “skip” for any questions you may have
      • In the application list the name is “Authenticator”
    3. Select “Add an account”
      • If the program has been used before, select “Add account” from the menu in the upper right corner
    4. Select “Work or school account”
      • To read the QR code, the phone may ask permission to process the images, select “Allow”
    5. Set the phone aside for a moment and use your computer’s browser to go to https://o365.jamk.fi
      • If you are presented with a login screen, enter your email address and click “Next”
      • If necessary, log in with your password
    6. You will find below notice that additional information is required
      • Make sure your Jamk email address is displayed under the jamk.fi logo (picture 1) and click “Next”
    More information required
    picture 1
  • In the “Keep your account secure” box (picture 2), click Next
    • If you do not want to use Authenticator (recommended), you can select “I want to set up a different method” at the bottom. Though this guide does not cover other MFA options.
    • Keep your accoutn secure
    picture 2
  • Under “Microsoft Authenticator – Set up your account” (picture 3), click Next
    • Set up your account
    picture 3
  • Use your phone to scan the QR code that appears on your computer screen to associate your ID with the application.
    • Note, if the image cannot be scanned, press “can’t scan image” to manually enter the code displayed in the browser into your phone’s application.
  • When the code has been successfully read or entered into the application, click “Next” in your computer’s browser
  • The service confirms the application and you will receive a request for approval on your phone, select “Approve”
    • If the application asks for the phone lock code, enter it. You can remove this additional requirement from your Authenticator settings later.
    • If you get an error message at this point, delete the added account from your phone and start the process from the beginning (probably the service found that you weren’t quick enough). If needed, you can reset all MFA setting of your account by logging to https://tunnistus.jamk.fi
    • After 12.12.2022 you may also have to type in the code that is displayed on login page.
  • If the connection is successful, you will be notified “Notification approved”. Click Next.
  • You will still receive a notification to connect. Fortunately, the deployment is now complete.
    See the FAQ for more help and other tips.

    • New phone or problems with Authenticator app?

    You can add new authentication method for your Office365 account at https://aka.ms/mfasetup. It is recommended to remove any unnecessary/unused authentication methods to keep your account secure (E.q your old mobile devices that you no longer have access to).

    If you no longer have access to your Authenticator app or it’s not working, you will need to reset your account MFA settings using these instructions.

    Here are few common questions/answers (FAQ).

    • How do I log in, when MFA is enabled?
      • You log in to the service with your username and password like you are used to and then you also accept a notification on your phone. If for some reason the notification does not appear automatically, open Microsoft Authenticator application. The request should show in the application. After entering the ID, you have about one minute to accept it on your phone.
    • I received authentication request on my phone even though I wasn’t actually logging in to any service, what do I do?
      • Deny unknown login requests! However, confirm that none of your devices is not trying to log in to the service, such as your phone’s email application. Suspicious logins should be reported to Jamk ICT services, so that they can check where the login attempt came from. 
    • I’m about to change my phone, what should I do?
      • Set up your new phone and follow these same instructions. Once Microsoft Authenticator is set up on your new phone and your account is linked to it, you can wipe and discard your old phone.
    • My phone was stolen/lost/broken, how can I reset my MFA settings?
    • I want to use my personal phone to accept logins, how do I do that?
      • No problem, you can install and link Authenticator App also to your personal phone. Go to https://aka.ms/MFASetup and click “Set up Authenticator app” -button. Set up authenticator app The process is the same as when you did this for the first time with your corporate phone. After this is done successfully, confirmation messages will appear on all linked devices (it doesn’t matter which one you use to accept the sign in message).
    • Where can I check what devices I have linked to my account to use for MFA logins?
    • Why is MFA approval not required every time, and why on the other hand, does it sometimes happen more often than I would like?
      • There is no simple answer to this, but there is a multi-level risk assessment in the background that may require additional verification occasionally.
      • Local network on Jamk campus area is configured as trusted network, where we allow login just by using regular username and password without MFA.
    • Why do I get a verification message on my phone even when I sign in to service “X” that is not on O365? ?
      • Some third-party services are connected Jamk’s O365 sign-in and these are subject to same MFA requirements. These are some some personnel/financial management services and also electronic signature service. Also systems that use HAKA login, like Peppi and Moodle require strong authentication.
    • Why did my phone stop synchronizing emails/calendar after enabling MFA? Why did I receive a message saying that IT-department has blocked access to my email?
      • Some email apps require user to first remove and then add the synchronization account again from phone settings. Only after this it knows that it has to use strong authentication.
      • After enabling MFA, some old, incompatible applications will not work. Such can be for example some phone manufacturers ’own email applications. In this case, install Outlook from app store.
    • Why is location information displayed in Authenticator not accurate?
      • Location information displayed in Authenticator is only informational. It is based on network address and it is not very accurate. If you are logging at Jyväskylä and map shows that you are in Tampere, its is not alarming, but if you are in Finland and map shows login from some other continent, then you know something is probably wrong.