Frequently Asked Questions

What is multi-factor authentication (MFA)?

Multi-factor authentication (MFA) is a method of authentication that requires more than one verification to access your email account and adds a critical second layer of security to user sign-ins. It works by requiring any two or more of the following verification methods:

Your IT password
A secondary authentication method (such as a trusted device like a mobile phone or desk phone.)

When using multi-factor authentication, you will periodically have to accept your sign-in attempt from a trusted source. You can set-up MFA using:

A mobile app, either using push notification or generating a token code.
Accept a call on your mobile phone.
Receive a text to your mobile phone, with a token code.
Accept a call to a desk phone (you also can set up a home phone.)

Be careful to only accept authentication requests when you are actively signing into your account (entering your password).

What email and calendar applications support MFA?

Multi-factor authentication is supported with the following email and calendar apps:

Outlook 2016, 2019, and 365 for Windows and Mac
Outlook for iPhone and iPad
Outlook for Android phones and tablets
Outlook Web Access
Apple Mail and Calendar for iPhone (iOS 11 or later), iPad (iOS 11 or later, or iPadOS), and Mac (High Sierra or later) *
Android Mail and GMail (Android 10 or later) *
Mail for Windows 10

Other e-mail and calendar applications have not been tested to work once MFA is enabled. If your device does not support one of the above applications, consider using Outlook Web Access.

* Using non-outlook apps may require you to remove and re-add your account to enable MFA, depending on how you set your device up.

How do I activate MFA?

You are able to self-register for MFA. Please follow the activation instructions below:

MFA - Self-Service Enrolment

How do I use MFA?

You will periodically have to accept your sign-in attempt from a trusted source:

A mobile app, either using push notification or generating a token code for offline use.
Accept a call on your mobile phone.
Receive a text to your mobile phone, with a token code.
Accept a call to a desk phone (you also can set up a home phone.)

Instructions on how to use these methods of verification are available here:

How to Use Multi-Factor Authentication

What are App Passwords?

An App Password is a substitute password for MFA-enabled accounts on unsupported mail and calendar applications. This means that you will replace your usual standard password with a specially created one when signing into one of the applications listed below and it will not prompt you to approve or deny each time you use them.

App passwords are being discontinued as of November 2020. Please consider using a supported mail client.

You will need to set up app passwords for the following applications:

Apple Mail and Calendar for iOS on iPhone/iPad (iOS 10 and older)
Android Gmail and other Android mail clients (Android 9 and older)
MacOS mail and calendar (MacOS Sierra and older)
Mozilla Thunderbird
Outlook 2013 before November 2014 update
Outlook for Mac 2011
Outlook 2010 or older
Any mail client that uses IMAP or POP3

Note: Microsoft also provides mobile versions of Outlook called Outlook for Android and Outlook for iOS. An alternative to using App Passwords would be to download and use one of these MFA-enabled apps instead. These apps are available from the Google Play and Apple App Store respectively.

How do I use App Passwords?

These one-time app passwords are generated by Office 365 account security, and can be used in-place of your standard password within a mail application.

The app password is how your account identifies the app is a safe source.
Use one app password per app per device. You can create multiple app passwords for different apps.
App passwords are meant to last, but may expire without notice. If necessary you can generate a new app password at any time.
App passwords cannot be reused or retrieved.
App passwords are meant to be difficult to remember and replicate.

Instructions on how to setup app passwords are available here:

Setting up App Passwords

Important: Support for older mail clients that use IMAP or POP3 is ending November 2020. This means all Office 365 users, including the University of Calgary must switch to supported mail clients before that date.

Can I change my verification methods?

Yes! At any time you can change or add more verification methods. (e.g. Mobile app, mobile phone, text message, etc.)

Instructions on how to add or update MFA settings are available here:

How to update multi-factor authentication settings in Office 365

Should I set up more than one verification method?

We encourage you to enable more than one method of verification, in the event that your default method fails for whatever the reason.

For example:

You forget your phone at home
You set up an Office phone, but you need to access your mail while travelling
You are in an area of poor phone reception

If your default method fails for any reason, you will be able to click the Sign in another way link on the Approve sign in request window.

What is the preferred method of verification to use?

We recommend installing and using the Microsoft Authenticator mobile app, as it provides both online push notifications and offline token code options for sign-in, which is useful if you are travelling abroad without data. If you do not have a smartphone, then a call or text message to your mobile phone is the next best option.

The Microsoft Authenticator takes up very little space on your phone, cannot control your device, and you can choose to use the app without using your data plan.

How often should I have to authenticate?

The answer depends on how many apps and devices you use to access your Office 365 email and calendar. Generally, from your primary device (Outlook on work desktop or laptop) you can approve sign in for up to 30 days. If you sign in on another computer, or on the web, then you will be prompted for authorization again.

Apps that have been setup with an app password will not prompt for approval, but the app password may expire without notice. (See the How do I use App Passwords? FAQ above.)

What should I do when I get a verification request I don't recognize?

If you receive approval requests for access to your Office 365 and you are not actively signing in (entering your password) then deny the access! If this occurs frequently, your account password may be compromised. In this case, reset your IT Account password online at password.ucalgary.ca or by calling the IT Support Centre at 220-5555.

I'm using an unsupported mail client, what should I do after enabling MFA?

Email software clients such as Mozilla Thunderbird, Apple Mail (iOS 10 and older, and MacOS Sierra and older), Outlook 2010 or older, Outlook 2011 for Mac, and Android Mail (Android 9 and older) do not support Office 365/Exchange and require IMAP connection to the O365 server in order to retrieve email. The IMAP configuration will require the App password. See FAQ questions above for information about App Passwords.

Can MFA control my phone and monitor me?

Simply put, the answer is "No". The Microsoft Authenticator app is not owned by the University, we are not granted any information from it, and the app is not able to collect information about the phone to send to Microsoft. It also does not have an MDM component, so it will not attempt to manage the phone.

How do I recover MFA if I change or lose my phone?

Recovering MFA on a new phone depends on what options you set up:

Microsoft Authenticator app

The Microsoft Authenticator app has a backup and restore option. If you enabled backup on your previous phone, download the Authenticator again on your new phone and restore it. For instructions, see this Microsoft article.

You can enable the backup option on an old phone if you have not set this up yet and restore the Authenticator app on your new phone.

If you did not back up your previous phone's Authenticator app and no longer have access to it, then visit https://aka.ms/mfasetup. You may be prompted for the Authenticator app, select "I can't use my Microsoft Authenticator app right now" from the sign in request screen. Select one of your backup phone numbers and complete authentication. Follow the the Getting Started instructions to add a new Authenticator. Remove your old one from the list of options.

Without any backup phone numbers contact UService - IT by phone for assistance.

Phone number (voice call or text message)

If you no longer have access to the phone number you used for MFA authentication, you may update your phone number at https://aka.ms/mfasetup. You may be prompted for authentication, select "Having trouble? Sign in another way" from the sign in request screen. Select one of your backup options (such as another phone number or the Authenticator app) and complete authentication. Follow the the Getting Started instructions to add a differnet phone number or Authenticator app. Remove your old phone number from the list of options.

Without any backup phone numbers or a backup Authenticator app contact UService - IT by phone for assistance.

Important: We recommend backing up your Authenticator app (see here) and adding additional phone numbers to make recovery easier when changing phones.