How to enable strong authentication (MFA)

In Jamk we require strong authentication in several services. Strong authentication (MFA) allows safer login to services, as it makes it possible to prevent access to O365 account even if the ID/password is compromised. In addition to regular username and password, a separate confirmation is required using mobile app. Alternative ways are a one-time code, or third-party applications.

Things to notice

After enabling MFA, some old, incompatible applications may not work. Such can be for example some phone manufacturers own customized email applications.

Jamk’s ICT services recommends following supported and tested applications:

  • Windows: Office 2016 or newer, Microsoft 365 Apps for enterprise (formerly known as Office 365 proplus)
  • Android: Microsoft Outlook
  • MacOS: Apple Mail 12 or newer, Office 2016 or newer, Microsoft 365 for Mac
  • iOS: Microsoft Outlook

General introduction to enabling MFA

  • Enabling MFA only takes few minutes.
  • You will need a mobile device to which you want to send MFA confirmation messages.
  • After starting the process, you will have few minutes to complete it. If this is not done quickly enough, the deployment may fail and the process will need to start over.

Instructions for implementing MFA:

You can enable MFA for your account by logging in to Microsoft 365 and then following instructions given there. You might also want to check frequently asked questions at the end of this page.


Microsoft Authenticator application must be installed on your mobile device and you add Jamk's account on it with QR-code or URL -link. DO NOT sign in directly on Authenticator app !!

This page explains process with more details. You can configure MFA either by using only mobile phone or by using a combination of mobile phone and computer. The Authenticator application is always installed on mobile device but deployment process varies depending which device you’re using on logon.

  1. Download the Microsoft Authenticator application to your phone.
  2. Launch the Microsoft Authenticator application you installed
    • If you are launching the program for the first time, select “skip” for any questions you may have
    • In the application list the name is “Authenticator”
  3. Select “Add an account”
    • If the program has been used before, select “Add account” from the menu in the upper right corner
  4. Select “Work or school account”
    • To read the QR code, the phone may ask permission to process the images, select “Allow”
  5. Set the phone aside for a moment and use your computer’s browser to go to
    • If you are presented with a login screen, enter your email address and click “Next”
    • If necessary, log in with your password
  6. You will find below notice that additional information is required
    • Make sure your Jamk email address is displayed under the logo (picture 1) and click “Next”

      More information required
      Picture 1
  7. In the “Keep your account secure” box (picture 2), click Next
  8. If you do not want to use Authenticator (recommended), you can select “I want to set up a different method” at the bottom. Though this guide does not cover other MFA options.

    Keep your account secure
    Picture 2
  9. Under “Microsoft Authenticator – Set up your account” (picture 3), click Next

    Set up your account
    Picture 3
  10. Use your phone to scan the QR code that appears on your computer screen to associate your ID with the application.
    • Note, if the image cannot be scanned, press “can’t scan image” to manually enter the code displayed in the browser into your phone’s application.
  11. When the code has been successfully read or entered into the application, click “Next” in your computer’s browser
  12. The service confirms the application and you will receive a request for approval on your phone, select “Approve”
    • If the application asks for the phone lock code, enter it. You can remove this additional requirement from your Authenticator settings later.
    • If you get an error message at this point, delete the added account from your phone and start the process from the beginning (probably the service found that you weren’t quick enough). If needed, you can reset all MFA setting of your account by logging to
    • After 12.12.2022 you may also have to type in the code that is displayed on login page.
  13. If the connection is successful, you will be notified “Notification approved”. Click Next to proceed

    Picture 4
  14. You will still receive a notification to connect. Fortunately, the deployment is now complete. See the FAQ for more help and other tips.

  1. Download the Microsoft Authenticator application to your phone.
  2. Use your phone’s browser to go to
    • Log in with your Jamk email address and password
  3. Click Next on “More information required” box
  4. Select the link “Pair your account to the app by clicking this link” (picture 1)

    Pair your account to the app by clicking this link
    Picture 1
  5. The Authenticator application opens and information page appears after a while. Close the Authenticator application and return to the browser (picture 2).

    Authenticator -sovellus
    Picture 2
  6. In the browser, select Next to request confirmation from your phone. By approving the request, you ensure that the connection is working (picture 3). Notice! After 12.12.2022 you may also have to type in the code that is displayed on login page.

    Approve message to phone
    Picture 3
  7. You will receive the “Notification approved” message, click Next
  8. You will receive a “Success” message. Configuration is now complete
  9. You may close the browser at this point. If you press “Done”, the browser will go to the setup/details page


New phone or problems with Authenticator app?

You can add new authentication method for your Office365 account at It is recommended to remove any unnecessary/unused authentication methods to keep your account secure (E.q your old mobile devices that you no longer have access to).

If you no longer have access to your Authenticator app or it’s not working, you will need to reset your account MFA settings using these instructions.

Here are few common questions/answers (FAQ).

You log in to the service with your email address and password like you are used to and then you also accept a notification on your phone. If for some reason the notification does not appear automatically, open Microsoft Authenticator application. The request should show in the application. After entering the ID, you have about one minute to accept it on your phone.

Deny unknown login requests! However, confirm that none of your devices is not trying to log in to the service, such as your phone’s email application. Suspicious logins should be reported to Jamk ICT services, so that they can check where the login attempt came from.

Set up your new phone and follow these same instructions. Once Microsoft Authenticator is set up on your new phone and your account is linked to it, you can wipe and discard your old phone.

  • No problem, you can install and link Authenticator App also to your personal phone. Go to and click “Add sign-in method” -button and select “Authenticator app” from the drop-down list.
  • The process is the same as when you did this for the first time with your corporate phone. After this is done successfully, confirmation messages will appear on all linked devices (it doesn’t matter which one you use to accept the sign in message).

You can check, add and delete your mobile devices on

  • There is no simple answer to this, but there is a multi-level risk assessment in the background that may require additional verification occasionally.
  • Local network on Jamk campus area is configured as trusted network, where we allow login just by using regular username and password without MFA.

Some third-party services are connected Jamk’s O365 sign-in and these are subject to same MFA requirements. These are some some personnel/financial management services and also electronic signature service. Also systems that use HAKA login, like Peppi and Moodle require strong authentication.

  • Some email apps require user to first remove and then add the synchronization account again from phone settings. Only after this it knows that it has to use strong authentication.
  • After enabling MFA, some old, incompatible applications will not work. Such can be for example some phone manufacturers ’own email applications. In this case, install Outlook from app store.

Location information displayed in Authenticator is only informational. It is based on network address and it is not very accurate. If you are logging at Jyväskylä and map shows that you are in Tampere, its is not alarming, but if you are in Finland and map shows login from some other continent, then you know something is probably wrong.