Using the automated phone call to verify your login

When trying to use Microsoft Office 365, either through a web browser, mobile app, or desktop application, you might be prompted to complete MFA before being allowed to access your account.

Before the MFA prompt, you might be prompted to log in to Office365. If you are, do so as normal using your Cardiff University email address and password. Those without a Cardiff University email address (and only a username) will need to enter the username followed by ‘@cardiff.ac.uk’.

You will be notified that this sign-in attempt needs further approval through MFA, and that Microsoft are calling the telephone number that you previously set up.

1. Answer the call from Microsoft. A pre-recorded message will explain the nature of the call, and the actions available to you. If for some reason you are not able to answer the call or respond, you will be offered another chance by clicking Sign in another way or clicking on the left-pointing arrow found to the left of your email address.
2. You will then be presented with a set of options on how to complete MFA to select between. The exact options will depend upon which MFA methods you have previously configured. Click Call +XX XXXXX XXXXXX to attempt the phone call again.

Approving

1. Approving the sign-in attempt is a simple as answering the automated call, listening to the recorded message, and pressing the # key (referred to as the “hash” key in British English or “pound” key in American English) on the telephone keypad when prompted.
2. Once you have pressed the # key you can end the phone call and the Approve sign-in request message should disappear from the web browser, mobile app, or desktop application, you were using – giving you access to your Office 365 account as intended.
   
   If you receive an MFA alert to confirm sign-in, but it is not you signing-in, it is possible someone is trying to illegally access your account. Do not approve the login, this ensures your account remains secure.
   
   If you receive multiple MFA alerts that are not you, it might be an indication that someone is trying to hack into your account. In this situation, please report this to IT Support who will investigate.

Denying

If it is not you attempting to sign-in, deny the sign-in attempt to keep your account safe.

1. Denying the sign-in attempt is a simple not answering the automated call or answering and terminating the call without pressing any keys.

If you receive multiple MFA alerts that are not you, it might be an indication that someone is trying to hack into your account. In this situation, we advise that you contact the IT Support who will investigate.

The Approve sign-in request message on the web browser, mobile app, or desktop application, you were using will update to reflect that MFA was not successfully completed.

If you are prompted to complete MFA verification using your default method, and instead you want to use the automated phone call to a telephone number that you have previously set up, you can click on I can’t use my Microsoft Authenticator app right now.

Alternatively click on Sign in another way, or click on the left-pointing arrow found to the left of your email address

Important: we highly recommend that you set up several methods of completing MFA to ensure you can still access your account should you encounter difficulties with one of the methods.

Click Call +XX XXXXX XXXXXX to trigger an automated phone call from Microsoft to the telephone number you set up previously.

The last two digits of each telephone number set up are shown on the entries in the list to help you identify which number you wish to pick for Microsoft to call you on if you have set up more than one.

If you have configured another MFA method (such as the Microsoft Authenticator app or a different authenticator application) as your default method, you can alter this to make the phone call the default. Similarly, if you have set up more than one telephone number you can pick which one you want to use as the default.

1. To start the process, use a web browser to navigate to https://aka.ms/mfasetup. You will be prompted to log in to Office365 using your Cardiff University email address and password. You might be challenged to complete MFA using one of the methods you have already set up.
   • Those without a Cardiff University email address (and only a username) will need to enter the username followed by ‘@cardiff.ac.uk’.
2. After successfully logging in, you will be taken to the My Sign-ins page where you can review the MFA methods you have already set up so far. Next to Default sign-in method: click Change.
3. From the list of options presented, pick the Phone - call +XX XXXXX XXXXXX entry that corresponds to the telephone number previously set up that you now wish to use as the default.
4. The default sign-in method will now show Phone - call +XX XXXXX XXXXXX