Initial MFA Registration for Student Orgs

NOTE: This documentation is intended for signing up a brand new Student Org for use of MFA, or during the initial rollout Spring 2022. For other situations, please refer to "Registration of new Student Org Officers" below.

NOTE: ITaP can only work with the President/Advisor of Record (displayed on Catbert on the Org's account) for the student org. If the contact in this case is NOT the President/Advisor of Record for the student org, they will need to be directed to the President/Advisor of the student org for assistance.

NOTE: If the information for the President/Advisor of Record for the student org is incorrect, the user will need to contact SAO to get this information updated (SAO sao@purdue.edu 765-494-1231).

NOTE: If this Student Org account is current in 50096173-MFA-Student_Org_Accounts-Exempt, it will need to be removed during this call.

Use this documentation when you are contacted by a member of a student org who has either,

• Received an email informing them that they will need to register their student org for MFA
• Or upon logging into the O365 account for their Student Org, they're prompted for 'More Information'

1. Assuming the user already has the username & password for the account, skip to the next step.
   1. If they do not have the username for the account
      1. Have them try to search the name of the org on purdue.edu/directory, otherwise, they'll need to contact SAO for that information (SAO sao@purdue.edu 765-494-1231).
   2. If they do not have the password for the account, the password will need to be reset. 
      
      
2. Direct the user to visit portal.office.com via a web browser, log in with ________@purdue.edu and the password for the account.
   
   1. See above if they don't know the alias/username or password for the account
      
      
3. Assuming the user is prompted for "More Information" have them click the blue "Next" button to proceed to MFA registration.
   1. If they're NOT prompted for "More Information" after login, direct them to mysignins.microsoft.com/security-info they'll need to manually register their authenticator.
      1. Notify a Specialist of the student org's alias so they can get it added to the 50096173-MFA-Require_After_Grace_Period group in Azure AD.
   2. If they're prompted to authenticate via MFA, please contact a Specialist, they may need to
      
      1. Review the currently registered MFA authenticator devices & numbers, so this user can register from scratch
      2. Or place the account into the 50096173-MFA-Delegated-ITEUE_CSC_MFA_Exempt group in Azure AD for the duration of your call so this user can register THEIR device without removing the others. Notify the specialist to remove the account from the group at the conclusion of your call.
         
         
4. For Student Org accounts, they are VERY STRONGLY ENCOURAGED to register via the Microsoft Authenticator App rather than via other means.
   1. Only one phone number per method can be registered.
   2. These users should be mostly all students, who seem to already be adopting the Microsoft Authenticator App without much issue.
      
      
5. MFA Authenticator Device Registration Step 1:
   1. For How should we contact you? select "Mobile App" from the drop down
   2. For How do you want to use the mobile app? for student orgs, my recommendation is to select the radio button for "Use verification code"
   3. Have them click the blue "Set up" button to get the QR code to scan into the Microsoft Authenticator App
      
      
6. MFA Authenticator Device Registration Step 2:
   1. They'll be prompted to register a phone number, just skip this step
      
      
7. Make sure that the user understands how to use MFA, specifically via the passcode method for authentication.
   
   
8. VERY VERY IMPORTANT MFA Authentication for multi-user non-person accounts
   NOTE: Student organization accounts are unique amongst ALL Purdue O365 accounts in that it is a single account, with the possibility of multiple users authenticating into it.
   Please inform your user of the following while they are still on the phone:
   1. ITaP is only allowed to work with the President or Advisor of Record, if any changes to the account or MFA registration are needed, they will either need to do it on their own, or call into the CSC.
   2. It is the student org's responsibility to add/remove additional users to their account's MFA in a timely manner. Communication is paramount since there may be multiple users registered to the account.
   3. The President & Advisor of the org are able to add/remove additional users on their own, or with the assistance of the CSC by phone. All liability & responsibility for these additional user's access is taken on by the student org and it's officers.
   4. Despite the recommendation to use the passcode authentication rather than the push notification method users may opt to use the push notification instead. If they do this though, ALL DEVICES for ALL USERS registered to this account will receive the typical "Approve sign-in?" notification on their device.
      They should NOT approve any sign-ins that they did not initiate, they might inadvertently allow an unauthorized person into the account.
      But they should also NOT deny any sign-ins that they did not initiate either, as they may block an authorized user from accessing the account.
      
      
9. You'll probably want to develop the above information into a Customer note able to be attached to tickets for this issue.
   (Working on it)