Note: The article only includes selected verification methods and certain situations. Microsoft frequently changes things, so it is valid as of the publication date of the article.
Registration of Verification Methods
Registration of verification methods can be triggered in two ways:
- during login - if for some reason it is required to register or update user methods, the login process is interrupted, and a security information setup wizard is displayed
- in account settings - part of the user profile is the management of verification methods (security information), where we can manually register new methods
Setting Verification Methods During Login
Managing Verification Methods Within the Account
Within our account My Account we have the option Security Info. Here we see all the verification methods we have set for account login or password reset. We can edit or (in most cases) delete existing methods.
Note: You can also access the settings via the link MFA Setup, where a new login is enforced.
By clicking on + Add sign-in method
we start the wizard for adding a new method.
In the first step, we choose the method we want to register.
Microsoft Authenticator
To register the Microsoft Authenticator app, choose Authenticator app
and follow the wizard (in the first step, you can choose to install a non-Microsoft app).
On the phone, we need the app installed. In the top bar, click on + Add account
. Choose Work or school account and Scan a QR code. Scan the code from the computer screen. The account will be added to the app.
Then it is necessary to approve the notification in the app by entering the number displayed on the computer.
This completes the registration of the verification method. For Microsoft Authenticator, a Push Notification is registered, which requires an internet connection. At the same time, the app is set as a SW token for generating an OATH verification code (which works offline).
Microsoft Authenticator (Phone Sign-in)
When we have the Microsoft Authenticator app registered to our account, we can set up a more secure and convenient option for passwordless sign-in. This method is referred to as phone sign-in Phone Sign-in.
Note: Microsoft Authenticator running on Android currently supports registration of only one account for Phone sign-in. On iOS devices, it is supported to register multiple accounts.
The condition is that the mobile device must be registered to our account and a screen lock must be set (typically PIN or fingerprint).
Enabling phone sign-in is done in the Microsoft Authenticator app. Open the account and click on Set up phone sign-in
(visible in the image above this chapter). Then we must sign in using MFA.
If we do not meet, for example, the device registration, it will offer to perform it. Finally, the Phone sign-in setup is completed.
Whether we have the Phone sign-in method registered can be seen directly in the Microsoft Authenticator app. And also in the account settings under Security Info, where it is one of the two options.
FIDO2 Security Key
Registration of the FIDO2 security key is described in the article Sign-in with FIDO2 security key.
Windows Hello for Business
Windows Hello for Business is a special method and does not appear among the methods on the Security Info page (the administrator sees this method for the user in Entra ID). Registration is done in the operating system and is described in the article Windows Hello for Business - user settings and usage.
MFA Login Process
Account Identification (Email Entry)
When we log in for the first time, we must enter our email address. Only for signing in with a FIDO2 security key is account identification not needed, just click on Sign-in options
and then Sign in with a security key.
If we have both a work and personal account on the same email address, a selection will appear indicating which account it is.
During repeated login, the previously used account is usually offered, and we just need to select it.
User Authentication
If we have set up a passwordless sign-in method, it will be used in the next step. You may see an approval for sign-in using Microsoft Authenticator Phone Sign-in (entering two digits) or a Windows security dialog for signing in with a FIDO2 key.
In other cases, a dialog for entering a password as the first sign-in factor will appear. This is followed by a dialog for the configured second factor, such as approving the sign-in using Microsoft Authenticator Push Notification (entering two digits) or entering a verification code.
Changing the Verification Method
If we have multiple methods registered, we can always interrupt the currently used method and choose another one. In many dialog variants, there is an option Other ways to sign in
or I can't use my Microsoft Authenticator app right now
. In the Windows dialog for signing in with a FIDO2 key, we must first select Cancel.
Depending on whether we are in the passwordless sign-in step or have already entered the password, and of course, which methods we have registered, a different selection of available methods is offered.
Microsoft Authenticator (Phone Sign-in)
If we have set up passwordless sign-in using the Microsoft Authenticator app, a dialog for approving the sign-in in the app by entering the displayed digits should appear immediately after account identification.
If a password entry dialog appears, there should be a link Other ways to sign in
, where we select Approve a request on my Microsoft Authenticator app.
Microsoft Authenticator (Push Notification)
The Microsoft Authenticator app can be used for classic MFA sign-in. This means that we identify the account and in the first step enter the password. Then we can use Push Notification, where a notification is sent to the app that we must approve. The process is exactly the same as with Phone Sign-in. A dialog Approve sign in with a number will appear, which we must enter in the mobile app.
The difference is that with Push Notification we must first enter the password, which is sent over the internet. Whereas Phone Sign-in is more secure and convenient, we do not enter any password and sign in using an asymmetric key pair that is tied to the app and the mobile device.
Reporting Suspicious Activity - Blocking MFA Sign-in
In the notification in the Microsoft Authenticator app, there is also an option No, it’s not me
. If we use it, a dialog Report suspicious activity will appear. By selecting Report, MFA sign-in may be blocked, which must be unblocked by the organization administrator.
Verification Code - OATH One Time Password (OTP)
The second option for classic MFA sign-in is to enter a verification code (Verification Code). We can use the registered Microsoft Authenticator or a third-party app that supports OATH TOTP. A dialog for entering the code will appear.
Open the Microsoft Authenticator app on the mobile device and select our account. The current OTP code and its remaining validity from 30 seconds are displayed here. Enter the code into the sign-in dialog.
;-) dekuji za pekny popis
:-)prima;-)