End-user

Specops Authentication for O365 allows you to log in to your O365 account using dynamic multi-factor authentication. You can continue using organizational credentials (Windows Identity) as an authentication factor, and layer, or even substitute the password with other identity services.

In O365, the username corresponds with your email, e.g. jane.doe@contoso.com. This username is used in all username requests, and should be used to logon to your corporate computer.

Certain applications, like the native email clients found on iOS/Android devices, and also Skype for Business/Lync clients, that need to connect to Exchange/Exchange Online for calendar and contact information, cannot use anything but the username and password during authentication. When an organization introduces multi-factor authentication, for example with Specops Authentication, and still wants to use these types of clients/software, Application (App) Passwords must be used.

Supported Office Clients

Specops Authentication supports the below clients for accessing O365. You will be prompted for credentials in periodic intervals, i.e., you will not need to authenticate every time.

  • Web based versions of O365 on all modern browsers e.g. https://portal.office.com
  • Office 365 for Windows
  • Office 2016 for Windows
    NOTE
    On desktop applications (i.e. Office 2016) the username/password dialog is replaced by a new dynamic interface (a web browser in a frame) that will use Specops Authentication. This interface is often contained in a non-resizable window, and will look a bit different from the real web browser experience.
  • Office 2013 for Windows
    NOTE
    Requires additional settings rolled out in the organization.
  • Outlook for iPhone
  • Outlook for Android
  • OneDrive for Business
  • Skype for Business
    NOTE
    If expanding the Advanced Options on Skype for Business, continue using your email as the username. Do not use domain\username, despite what the user interface suggests.

Enroll with Specops Authentication

First-time O365 access with Specops Authentication will redirect you to the Enrollment page, where you can enroll with the identity services you want to use to for authentication.

Once you have completed your enrollment, you will be logged in for the first time.

  1. Enter your Username on https://portal.office.com.
    NOTE
    You may be asked to specify whether the account is a work or school account.
  2. You will be redirected to the Specops Authentication Enrollment page. Authenticate using the available identity services. You will need to enroll with enough identity services to fill the star bar.
    For example, if using Specops Authenticator:
    1. Select the Specops Authenticator identity service.
    2. Download and install the Specops Authenticator app on your mobile device. The app can be found on iTunes, Google Play and the Microsoft Store.
    3. Click Continue on the enrollment page.
    4. Open the Specops Authenticator app on your mobile device. Tap the Scan QR code button on your mobile device and then scan the QR code from your computer screen. The app will automatically access the camera function on your device. Hold your device up to the QR code displayed on your PC screen.
      NOTE
      If you are unable to scan the code, you may enter the Secret Key instead.
    5. The Specops Authenticator app will display a temporary passcode on your mobile device
      • The temporary passcode will change every 20 seconds
      • You must enter a passcode before it changes on your mobile device screen
      • A blue line under the passcode will indicate the relative amount of time remaining
    6. Enter the temporary passcode from the Specops Authenticator and then select Verify.
      • The temporary passcode will appear as two sets of 3 digits separated by a space in the Specops Authenticator app
      • You must enter them as a single set of 6 digits with no space between
  3. You will be notified if you have collected the required number of stars; however, you can collect additional stars by adding more identity services.
  4. You can modify your enrollment at a later time from https://login.specopssoft.com. Note that in order to re-enroll with uReset, you will have to authenticate with your Windows identity, and at least one of identity services you have enrolled with previously.

Enrolling with Passkeys

The Passkeys identity service allows users to authenticate with Specops Authentication using the passkeys they have already set up on their device. Some examples of passkeys are Windows Hello, Yubikey, Bitwarden and any authentication app such as Google Authenticator.

Users have to enroll with each passkey separately.

  1. Go to the the login page and click Enroll
  2. Authenticate to enter the enrollment page.
  3. Select Passkeys.
  4. Give the passkey you want to enroll a friendly name so that you can easily recognize it.
  5. Click Add.
  6. A list with all available passkeys will be shown in a pop-up. Click on the passkey you want to add.
    NOTE
    Which passkeys will be shown depends partly on the platform you are currently on. Platform-specific passkeys (such as Windows Hello on your computer) will only be shown if you log in from that platform. Cross-platform passkeys will always be shown.
  7. Authenticate with the passkey.
NOTE
You can enroll a maximum of five passkeys.
NOTE
When authenticating with Passkeys, the list of passkeys will show all available passkeys for the platform you are on (both enrolled and not enrolled). Note that you can only use enrolled passkeys to authenticate with Specops Authentication.
NOTE
When authenticating with Passkeys, the authentication session will time out after 60 seconds.

Register with App Passwords

Certain applications (i.e., iPhone, Android built-in email clients, and Skype for Business Exchange connections) can only use username and password authentication. When an organization introduces multi-factor Authentication, they must use App Passwords to continue using the above-mentioned clients.

You can create App Passwords from: https://account.activedirectory.windowsazure.com/AppPasswords.aspx

  1. Click Create.
  2. Enter a name for the App password, and click Next.
  3. A new App Password will be generated for the user. The App Password can, for example, be used in the iPhone email app together with the username. The App Passwords are shown once during initial creation and the idea is to enter them into the App and then forget all about them.
  4. Copy the App Password to the clipboard, and paste it into your app (i.e. iPhone email clients, Skype for Business, etc.)

Alt text for this image

Authenticate with Specops Authentication

  1. Enter your Username on https://portal.office.com.
    NOTE
    You may be asked to specify whether the account is a work or school account.
  2. You will be redirected to the Specops Authentication page. Authenticate using the available identity services. You will have to authenticate with enough identity services to collect the required number of stars. Any combination of identity services will work.
    For example, to authenticate with the Specops Authenticator:
    1. Select Specops Authenticator.
    2. Open the Specops Authenticator app on your mobile device. The Specops Authenticator app will display a temporary passcode on your mobile device.
      • The temporary passcode will change every 20 seconds
      • You must enter a passcode before it changes on your mobile device screen
      • A blue line under the passcode will indicate the relative amount of time remaining
    3. Enter the temporary passcode from the Specops Authenticator, and select Verify.
      • The temporary passcode will appear as two sets of 3 digits separated by a space in the Specops Authenticator app
      • You must enter them as a single set of 6 digits with no space between
  3. Once you have successfully authenticated, you will be taken to the O365 portal.

Mobile applications and Mobile Code (SMS)

Specops / Google / Microsoft Authenticator

To enroll with any of the authenticator apps (Specops, Google, and Microsoft), you will need to first download these applications on your mobile device. These are free from the Apple, Google, and Windows app stores.

Once downloaded, select the identity service(s) from the Enrollment page. Click Continue.

From the authenticator application, scan the QR code that appears on the Enrollment page. Once the QR code has been scanned, the authenticator app will generate a temporary passcode. Enter the passcode on the Enrollment page, and click Verify.

Specops Fingerprint

To enroll with Specops Fingerprint, you will need to first download the application on your mobile device.

Once downloaded, select the identity service from the Enrollment page, and select Specops Fingerprint. Click Continue.

Register your account from the Specops Enrollment page, by scanning the QR code on the Authentication Enrollment page, with the Fingerprint Authenticator app. You will be prompted to provide your fingerprint. Depending on the device being used, you will be asked to either place or swipe your finger on the sensor.

The Specops Fingerprint application is supported on iOS devices with Touch ID fingerprint recognition, and Android 6.0 or newer operating systems.

NOTE

The full requirements of the Fingerprint Authentication app on an Android device are:

  • Android 6.0, API level 23: Older devices will not see the Fingerprint app from Google Play.
  • Android API compatible Fingerprint: Most devices with Fingerprint hardware and Android 6 are compatible. Some exceptions are the Samsung Note 4 and the Samsung Galaxy S5. The aforementioned have a Samsung specific API that the Specops Fingerprint app does not support. Non-compatible devices can still install the Specops Fingerprint app, but a runtime error message will be displayed indicating the lack of hardware support.

Mobile Verification Code

To enroll with Mobile Code (SMS), select Mobile Code (SMS) from the Specops Authentication Enrollment page.

Enter your mobile number making sure to add the + sign before area code. Click Send Code. Enter the verification code that you received on your mobile device in the designated field, and click Verify Code.

Frequently Asked Questions

Why do I need to enroll?

A complete enrollment is required before O365 resources can be used.

What if I need to update identity service information, or remove an identity service that I no longer use?

You should update your enrollment information. Log in to the Enrollment page (https://login.specopssoft.com/Authentication/Customer/Enroll), and click “Make Changes” to update your information such as mobile number for Mobile Code (SMS). From here, you can also enroll with another identity service and remove the identity service(s) that you no longer want to use. Since the service supports multiple authentications options, you can enroll with more identity services than is required for authentication. This ensures that you can verify your identity if an enrolled identity service is unavailable or inaccessible.

Will the credentials for my social accounts / email be shared with anyone?

Your information is not collected, or stored, and your activity on the services is never monitored. This information is solely used to verify your identity before allowing you to authenticate to O365.

How long should I wait to receive an SMS from the service?

SMS messages should arrive in less than a minute, with the average being 5-25 seconds. If you have not received an SMS message, check to see that the number is correctly formatted [+][country code][number including area code].

How long is the SMS one-time passcode valid?

The one-time code is valid for 5 minutes, after which you will need to request another code to complete the authentication, if you have not already done so.