How to enable strong authentication (MFA)

In Jamk we require strong authentication in several services. Strong authentication (MFA) allows safer login to services, as it makes it possible to prevent access to O365 account even if the ID/password is compromised. In addition to regular username and password, a separate confirmation is required using mobile app. Alternative ways are a one-time code, or third-party applications.

Things to notice

After enabling MFA, some old, incompatible applications may not work. Such can be for example some phone manufacturers own customized email applications.

Jamk’s ICT services recommends following supported and tested applications:

Windows: Office 2016 or newer, Microsoft 365 Apps for enterprise (formerly known as Office 365 proplus)
Android: Microsoft Outlook
MacOS: Apple Mail 12 or newer, Office 2016 or newer, Microsoft 365 for Mac
iOS: Microsoft Outlook

General introduction to enabling MFA

Enabling MFA only takes few minutes.
You will need a mobile device to which you want to send MFA confirmation messages.
After starting the process, you will have few minutes to complete it. If this is not done quickly enough, the deployment may fail and the process will need to start over.

Instructions for implementing MFA:

You can enable MFA for your account by logging in to Microsoft 365 and then following instructions given there. You might also want to check frequently asked questions at the end of this page.

Microsoft Authenticator application must be installed on your mobile device and you add Jamk's account on it with QR-code or URL -link. DO NOT sign in directly on Authenticator app !!

This page explains process with more details. You can configure MFA either by using only mobile phone or by using a combination of mobile phone and computer. The Authenticator application is always installed on mobile device but deployment process varies depending which device you’re using on logon.

Download the Microsoft Authenticator application to your phone.
- The app can be found from Android Play Store and Apple App Store
Launch the Microsoft Authenticator application you installed
- If you are launching the program for the first time, select “skip” for any questions you may have
- In the application list the name is “Authenticator”
Select “Add an account”
- If the program has been used before, select “Add account” from the menu in the upper right corner
Select “Work or school account”
- To read the QR code, the phone may ask permission to process the images, select “Allow”
Set the phone aside for a moment and use your computer’s browser to go to https://m365.jamk.fi
- If you are presented with a login screen, enter your email address and click “Next”
- If necessary, log in with your password
You will find below notice that additional information is required
- Make sure your Jamk email address is displayed under the jamk.fi logo (picture 1) and click “Next”
  Picture 1
In the “Keep your account secure” box (picture 2), click Next
If you do not want to use Authenticator (recommended), you can select “I want to set up a different method” at the bottom. Though this guide does not cover other MFA options.
Picture 2
Under “Microsoft Authenticator – Set up your account” (picture 3), click Next
Picture 3
Use your phone to scan the QR code that appears on your computer screen to associate your ID with the application.
- Note, if the image cannot be scanned, press “can’t scan image” to manually enter the code displayed in the browser into your phone’s application.
When the code has been successfully read or entered into the application, click “Next” in your computer’s browser
The service confirms the application and you will receive a request for approval on your phone, select “Approve”
- If the application asks for the phone lock code, enter it. You can remove this additional requirement from your Authenticator settings later.
- If you get an error message at this point, delete the added account from your phone and start the process from the beginning (probably the service found that you weren’t quick enough). If needed, you can reset all MFA setting of your account by logging to https://tunnistus.jamk.fi
- After 12.12.2022 you may also have to type in the code that is displayed on login page.
If the connection is successful, you will be notified “Notification approved”. Click Next to proceed
Picture 4
You will still receive a notification to connect. Fortunately, the deployment is now complete. See the FAQ for more help and other tips.

Download the Microsoft Authenticator application to your phone.
- The app can be found from Android Play Store and Apple App Store
Use your phone’s browser to go to https://m365.jamk.fi
- Log in with your Jamk email address and password
Click Next on “More information required” box
Select the link “Pair your account to the app by clicking this link” (picture 1)
Picture 1
The Authenticator application opens and information page appears after a while. Close the Authenticator application and return to the browser (picture 2).
Picture 2
In the browser, select Next to request confirmation from your phone. By approving the request, you ensure that the connection is working (picture 3). Notice! After 12.12.2022 you may also have to type in the code that is displayed on login page.
Picture 3
You will receive the “Notification approved” message, click Next
You will receive a “Success” message. Configuration is now complete
You may close the browser at this point. If you press “Done”, the browser will go to the setup/details page

New phone or problems with Authenticator app?

You can add new authentication method for your Office365 account at aka.ms/mfasetup. It is recommended to remove any unnecessary/unused authentication methods to keep your account secure (E.q your old mobile devices that you no longer have access to).

If you no longer have access to your Authenticator app or it’s not working, you will need to reset your account MFA settings using these instructions.

Here are few common questions/answers (FAQ).

You log in to the service with your email address and password like you are used to and then you also accept a notification on your phone. If for some reason the notification does not appear automatically, open Microsoft Authenticator application. The request should show in the application. After entering the ID, you have about one minute to accept it on your phone.

Deny unknown login requests! However, confirm that none of your devices is not trying to log in to the service, such as your phone’s email application. Suspicious logins should be reported to Jamk ICT services, so that they can check where the login attempt came from.

Set up your new phone and follow these same instructions. Once Microsoft Authenticator is set up on your new phone and your account is linked to it, you can wipe and discard your old phone.

Follow these instructions to reset MFA settings

No problem, you can install and link Authenticator App also to your personal phone. Go to https://aka.ms/MFASetup and click “Add sign-in method” -button and select “Authenticator app” from the drop-down list.
The process is the same as when you did this for the first time with your corporate phone. After this is done successfully, confirmation messages will appear on all linked devices (it doesn’t matter which one you use to accept the sign in message).

You can check, add and delete your mobile devices on https://aka.ms/MFASetup

There is no simple answer to this, but there is a multi-level risk assessment in the background that may require additional verification occasionally.
Local network on Jamk campus area is configured as trusted network, where we allow login just by using regular username and password without MFA.

Some third-party services are connected Jamk’s O365 sign-in and these are subject to same MFA requirements. These are some some personnel/financial management services and also electronic signature service. Also systems that use HAKA login, like Peppi and Moodle require strong authentication.

Some email apps require user to first remove and then add the synchronization account again from phone settings. Only after this it knows that it has to use strong authentication.
After enabling MFA, some old, incompatible applications will not work. Such can be for example some phone manufacturers ’own email applications. In this case, install Outlook from app store.

Location information displayed in Authenticator is only informational. It is based on network address and it is not very accurate. If you are logging at Jyväskylä and map shows that you are in Tampere, its is not alarming, but if you are in Finland and map shows login from some other continent, then you know something is probably wrong.

Things to notice

General introduction to enabling MFA

Instructions for implementing MFA:

Phone and computer setup instructions

Phone setup instructions

New phone or problems with Authenticator app?

Here are few common questions/answers (FAQ).

How do I log in, when MFA is enabled?

I received authentication request on my phone even though I wasn’t actually logging in to any service, what do I do?

I’m about to change my phone, what should I do?

My phone was stolen/lost/broken, how can I reset my MFA settings?

I want to use my personal / secondary phone to accept logins, how do I do that?

Where can I check what devices I have linked to my account to use for MFA logins?

Why is MFA approval not required every time, and why on the other hand, does it sometimes happen more often than I would like?

Why do I get a verification message on my phone even when I sign in to service “X” that is not on O365? ?

Why did my phone stop synchronizing emails/calendar after enabling MFA? Why did I receive a message saying that IT-department has blocked access to my email?

Why is location information displayed in Authenticator not accurate?