To increase the security of your M365 applications, such as Outlook, Teams and OneDrive, Multi-Factor Authentication (MFA) combined with conditional access will be activated on your University Microsoft 365 account on Monday 20 December 2021.

MFA is a two-step verification method for your online credentials that gives you an additional layer of security, over and above your username and password when working online.

However, by applying MFA with conditional access, you should not need to use your second verification method very often, as the additional security protection is only triggered by new risky logins.

For example, if you are accessing your University Microsoft 365 account from a trusted location such as the University campus or device you normally use), you will not need to re-authenticate to access your account. However new sign-ins considered to be at risk would require verification using multi-factor authentication, for example, a sign-in from a different country.

Most people will not notice much difference in their daily experience of using their account and Microsoft 365 applications, but you’ll need to ensure your account security is correctly set up so you can re-authenticate using your chosen MFA method when needed in the future.

Travelling abroad

If you plan to access your University account overseas, mobile-related verification methods such as a text message may incur roaming charges. Therefore, we recommend you use the Microsoft Authenticator App, using code verification or push notifications when connected to a Wi-Fi hot spot.

You will need to have the appropriate MFA methods set up on your account before Monday 20 December 2021.

If you aren’t set up, you will be unable to access your Microsoft 365 applications such as Teams and email if you use a new device or are in a different location.

To set up MFA or add additional sign-in methods:

1. Log in to My Account 
2. Select UPDATE INFO within the Security Info section  
3. Select Add Method  
4. Choose your preferred verification methods from the drop-down list  

You can add as many sign-in methods as you like. The table below summarises which methods are suitable for which activities.

We recommend you use the Microsoft Authenticator App as it is suitable for all scenarios, and that you have at least two methods set up. For example, adding both the phone and Authenticator App methods will mean you can still verify your identify and access your account if you later change your phone but retain your number.

Following an identified security threat last summer, we had to quickly ask all staff and students to change your passwords, layer up your account security with Multi-Factor Authentication (MFA), and authenticate your identity to access the Virtual Private Network (VPN).

Since then we have been working to identify and test further security enhancements to protect your data and increase productivity, whilst implementing improvements based on your feedback and experiences. This has included changing access to the VPN so that you only need to use MFA at setup, rather than every time you connect.

To ensure your data is protected we need to consider the security of all our systems, and how you authenticate your identity is a key way to add protection. Your University Microsoft 365 account is a gateway to a significant amount of data, and as the winter break is a recognised period of risk, this additional security needs to be activated in advance.

Conditional access means that once you have authenticated your identity, you will only need to re-authenticate if the log-in behaviours are deemed as having increased risk.

Risky scenarios include when:

• You're accessing M365 on a new or different device
  
• Your device is in a different (and abnormal) international location
• Your credentials have been reported/identified as being previously leaked following a security breach

Conditional access therefore reduces the frequency you need to re-authenticate your identity using your chosen MFA method. We have already implemented Conditional Access on the University’s Virtual Private Network (VPN), so the experience will be similar.

By applying conditional access to your University Microsoft 365 account, you will therefore benefit from:

• Increased productivity: you will only be interrupted to authenticate via MFA when one or more signals warrants it
• Managed risk: risky sign-ins identified by anomalies and suspicious events are addressed through re-authentication or are blocked
  

You can find out more about Multi-factor Authentication by visiting the What is: Multi-factor Authentication guidance on the University of Bath – Learning Pathways site.

You may also find our Layer up your account security with Multi-Factor Authentication (MFA) webpage helpful.

Further information about the risks assessed by conditional access are detailed on Microsoft’s What is risk? security webpage.

IT help and support

If you experience difficulties setting up MFA, you should contact the IT Service Desk.

If you are having trouble approving your sign in requests after setting up MFA, you can find solutions to common problems on the Troubleshooting common problems with Multi-Factor Authentication (MFA) webpage.