Office 365 - two factor authentication

reck
reck
Community Member

I'm turning on 2FA for my O365 account and i'd like to store this in 1Password as I do with all my other accounts that use 2FA. However i'm having a problem that I've not come across before.

When it asks me to scan the QR code during setup I tried to use my iPhone and when I pointed the camera at the monitor I just got a 'unsupported QR code' message. I then tried using the Windows application, clicking the QR code icon and then selecting 'from my screen'. This time I didn't get an error and it copied the address to the one time password field but it doesn't work, I get no countdown timer.

The URL starts like this - phonefactor://activate_account?code= which doesn't look correct.

I've setup seven or eight different apps and websites with 2FA and never had any problems. Has Microsoft made some kind of bespoke QR code that will only work with their own authenticator app (which works fine)?

Has anyone else had any luck using 2FA with Office 365 in 1Password. I should add this is my work O365 account on a work tenant, not a personal account if that makes any difference.

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • plttn
    plttn
    Community Member

    For what it's worth, I just tested and if I clicked the link that said "I can't scan the bar code", the text seed pasted into the OTP box worked fine for me. The QR code didn't work for me as well.

  • reck
    reck
    Community Member

    Is that a 'work' O365 account? I don't see a 'I can't scan the bar code' option.

    This is what I get. It says I can enter the code and URL into the app, but in 1P I only see a single field so I believe my only option is to enter a URL. I tried the URL and forgot the code but it didn't work.

  • plttn
    plttn
    Community Member

    In that case yeah, because of the way o365 works for the push authentication, there's no way to use it with a third party OTP provider.

  • reck
    reck
    Community Member

    Well that's annoying if that's the case.

  • ag_ana
    ag_ana
    1Password Alumni

    @reck:

    I also have an Office account and I was able to configure 2FA with 1Password, so unless they changed something since I first configured it back then, you should be able to do that too.

    Just out of curiosity, what do you see if you click on the Configure app without notifications link in your screenshot?

  • reck
    reck
    Community Member

    This is what shows up if I click that option Ana.

    The Account Name is in the format org name:email address
    Then the secret key has the format of **** **** **** **** with the * being letters and numbers.

    The nice thing about the Microsoft authenticator is that when I login a get a notification popup on my phone and I can just click accept and i'm in, no need to type anything. It's just a bit annoying having to have a separator authenticator app just for one website when all the rest are in 1Password.

  • You mentioned this is a work O365 account, @reck, any chance your organization has restricted the OTP apps you're able to use? I don't believe O365 inherently requires any particular app, but I'd not be surprised if they have options for the organization to limit how you sign in. We actually have that option for our business customers. They can dictate what forms of MFA are allowing including limiting folks to using Duo for MFA with their 1Password Business account. I don't personally have a O365 account so I can't say whether this is actually meaningful or not, but I noticed the instructions you're being given seem rather specific to MS Authenticator so that might indicate your organization requires you use Microsoft's app.

    On the off-chance that's just encouragement rather than requirement, though, here's the typical format of what's entered in the TOTP field:

    otpauth://totp/ORG-NAME%3AEMAIL-BEFORE-THE-AT-SYMBOL%40EMAIL-DOMAIN.COM?secret=SECRET-KEY

    Note that the @ symbol isn't actually included there, nor are any other symbols, but this is the format I see for most of my TOTP secrets so combining the info O365 gives you in this fashion might work. I would caution, however, that when sites try to discourage use of third-party apps, I generally decide to follow their recommendations. It's not that it won't work necessarily and this is only my personal opinion, but when I see such things I wonder whether the site will be assuming I'm using the suggested app and make changes based on that assumption later down the line that break things should I decide not to follow the rules. Paranoia? Quite possibly, but I figure it's better safe than sorry when it comes to things like account access. Feel free to give the above a try if you're comfortable and let me know what you find. :chuffed:

  • reck
    reck
    Community Member

    I don't believe it's an admin setting that controls this, I think it's just the way it's been designed to work with the Microsoft authenticator app unforunatly. It looks like i'm going to have to keep that app on my phone then and not use 1Password for this site.

    Thanks anyway.

  • ag_ana
    ag_ana
    1Password Alumni

    @reck:

    That's a pity. I would still suggest confirming whether this is indeed controlled by a setting, as bundtkate mentioned. As I wrote above in my previous post, I was able to configure 2FA with 1Password on that website, so if you cannot do the same thing, it might indeed be an admin setting.

  • nickwaters
    nickwaters
    Community Member

    @reck it is in the admin controls.

    Microsoft allow administrators to force the use of their authenticator app.

    "Requires all of your users to use MFA with the Microsoft Authenticator app"

    My organisation uses OneLogin so I'm forced to use that to log-in onto our systems. It stops you registering multiple devices for additional security (because it doesn't give you a traditional 2FA secret). It's very much down to the company you work for.

    I use 1Password's TOTP function for everything else.

  • Thanks for the insight, @nickwaters. :chuffed: Obviously, we rather encourage folks to use 1Password around here, so we don't get a lot of exposure to mechanisms that disallow such things. It's unfortunate y'all are having you choices limited here, but at least your companies are encouraging 2FA (even if not in 1Password) so you're still able to keep those account safe.

  • reck
    reck
    Community Member

    Thanks for posting that link @nickwaters. It's likely i'll have no way round this unfortunatly but at least it's only one site.

  • Greg
    Greg
    1Password Alumni

    @reck: You can try reaching out to your IT department and discuss this issue. Who knows, maybe they will allow using other authenticator apps.

    If there is anything else we can help you with, we are always here for you. Thanks!

    ++
    Greg

  • Thanks for sharing @Naxterra. :)

    Ben

  • TJLuoma
    TJLuoma
    Community Member

    Darran West on the Mac Power Users forum posted a screencast of how he did this.

    I don’t know why, but I had tried this several times before, but what I was doing looked different from this, so I was clearly on another URL / site / configuration area (I’m also the admin for our Office/Microsoft 365 account, so that may have had something to do with it).

    Anyway, with his instructions and screencast, I was able to get it to work for the first time.

    I’m sharing this here in case it’s somehow lost from the MPU forums:

    I’ve removed the 2FA code from 1Password and my Office 365 account to work out how I did this the first time. Before anyone goes any further I should note that this account is an education/business account and my phone number has already been added as a 2FA source. I have never tried this with a personal Office 365 account so I am not sure if this is something which only works in the business version.

    After visiting login.microsoft.com and signing in these are menu steps I followed:

    • My Account
    • Additional Security Verification
    • Set Authenticator
    • Configure Without Notification (next to the initial QR code)

    At this point I could capture the QR code in 1Password and then verify the code.

    Below is the screencast of the steps outlined above.

    https://www.youtube.com/watch?v=3_xjqdRor-c

  • Hey there @TJLuoma 👋

    Thanks a ton for sharing this! It's certainly something I'm going to bookmark for myself for future use, and I know this will definitely help others in the future too. You're rad!

This discussion has been closed.