Org Account MFA – Frequently Asked Questions
 

1. Q: How can I get started setting up an org account with MFA?
   • A: You can follow the steps listed in this IT Help guide (https://ithelp.uoguelph.ca/orgaccountmauthenticator)
      
2. Q: How many users can be added to the MFA on a shared org account?
   • A: While there is a limit of 5 MFA methods that can be configured on the account, and security best-practice encourages the fewest number of users possible to be given access to an org account, if you follow the setup steps listed in the IT Help guide (https://ithelp.uoguelph.ca/orgaccountmauthenticator), you should be able to add a theoretically unlimited number of users to the MFA on a shared org account using the Time-based One Time Password method (outlined in the above IT Help Guide).
      
3. Q: If many users have login access to an org account with MFA, how can we avoid getting push-notifications when another user logs in?
   • A: Following the setup steps listed in the IT Help guide (https://ithelp.uoguelph.ca/orgaccountmauthenticator), the default method of MFA on the org account will be a Time-based One Time Password (a six-digit code that is reset every thirty seconds). Every user that has access to the org account, and has been correctly added to MFA according to the guide, will use this code when prompted for MFA verification while logging in.
      
4. Q: Will setting up MFA methods on the account mean that all users with access to the account will be prompted for MFA on their next login?
   • A: No, setting up MFA will not automatically remove the MFA exemption on the account and cause all users with access to the account to be prompted for MFA on their next login. If you want to request the MFA exemption on the account to be removed, then the users will be prompted to enter MFA verification on their next logins. The removal of MFA exemptions on org accounts are currently scheduled to start on the 23^rd of Oct, at which point you can expect MFA prompts to eventually show on org account logins.
      
5. Q: How will I know if the MFA is working after I complete the setup without removing the MFA exemption from the account?
   • A: You can test to verify if your MFA setup is working by going to the following link after completing the MFA setup: https://mysignins.microsoft.com/security-infople
     If you are prompted for a six digit verification code after entering the org account email and password, and are able to login after entering the six digit code from Microsoft Authenticator, then you know the MFA method is working.
      
6. Q: We faced issues scanning the QR code while in the MFA setup steps for our org account, and only one person was allowed to scan it. What should we do?
   • A: It’s possible that you misread step #3, and step #5 in the IT Help guide (https://ithelp.uoguelph.ca/orgaccountmauthenticator). For step #3, on your computer, be sure to select "I want to use a different authenticator app" instead of “Next” on the “Start by getting the app” page. For step #5, on your mobile phone, be sure to select the  “Other” account option instead of the “Work or School” account option when adding a new account in Microsoft Authenticator. If you follow the remaining steps in the guide, multiple people should be able to scan the QR code that is provided.
      
7. Q: I’m stuck on step #1 of the IT Help guide and cannot access the Security Info page for the org account. I can only access the Security Info page for my UofG work account. What should I do?
   • A: Try either opening an incognito window in your current browser or use another browser (Edge for instance, if you’re using Chrome) to access the Security Info page (https://aka.ms/mysecurityinfo). This issue is probably occurring if you are currently signed into your work account in your main browser, but by accessing the link using the above methods should prompt you for a new login, at which point you can provide the org account’s email address and password.
      
8. Q: What’s the difference between an org account and a service account, and is changing to a service account a better option than MFA for my org account?
   • A: Service accounts are only to be used for a specific program, service, or application. Service accounts cannot be used for interactive logins to services such as M365, Qualtrics, or GryphLife. Service accounts are different from org accounts in the following ways:
     • They do not have an email account,
     • do not have an M365 license,
     • are not synced to Azure automatically,
     • cannot have VPN access,
     • can only be logged into from on-campus or from the VPN range,
     • and do not require MFA.
   • IF your org account matches ALL the criteria above, you can request for the org account to be changed into a service account, instead of setting up MFA on the account.

9. Q: What’s the difference between an org account and a shared mailbox, and is changing to a shared mailbox a better option than MFA for my org account?
   • A: Shared mailboxes are Microsoft's recommended way to create an email account that can be easily shared with multiple people at the same time. This method is secure, simple and convenient as there is no password to share, and users do not need to sign into multiple accounts. Shared mailboxes are different from an org account in the following ways:
     • They only provide a mailbox and calendar in Outlook,
     • do not have licensing for other M365 services, such as OneDrive or Teams,
     • cannot be used to sign into LDAP, AD or SSO-protected services, such as Qualtrics and GryphLife,
     • and only have a max storage size of 50GB for their mailbox
   • IF your org account matches ALL the criteria above, you can request for the org account to be changed into shared mailbox, instead of setting up MFA on the account.