View All Resources

PennO365 with Two-Step Verification

PennO365 has been configured to work with the University’s multi-factor authentication service, Two-Step Verification.  As of January 28, 2019, Two-Step Verification can be used to provide an additional level of security to both PennKey and PennO365 credentials.  For more information about the Two-Step Verification service, see www.upenn.edu/two-step.

Users interested in enrolling in PennO365 with Two-Step Verification should contact their local IT support providers for information about enrolling.

Please note that to use PennO365 with Two-Step Verification, users must first be enrolled in Penn Two-Step Verification.


Supported Mail Clients

ISC supports Microsoft Office 365 products (previously known as Office "click to run") and Outlook Web Access for PennO365 with Two-Step verification. Volume licensed versions of Office and third-party mail clients are not supported.

Using O365 Two-Step

Logging into PennO365 using Two-Step Verification

Logging into PennO365 using Two-Step Verification is very similar to using Two-Step with Weblogin-protected web sites.  The first thing a user will need to do is log into their PennO365 account on the website or client software.

Important note: When logging into a PennO365 account on a Windows system, be sure that the domain selected is “upenn.edu”.  Windows systems connected to a domain may substitute that domain’s name when logging into a PennO365 account. Should this happen, you will need to change the domain to “upenn.edu” to successfully log in.

Upon logging in with a PennO365 login and password, Two-Step-supported clients or web browsers will display a window similar to the following image:

O365 Two-Step Prompt

Options on this page will differ based on the selection from the “Device:” drop-down menu.

  1. Send me a Push to send a Push notification to a smartphone with the Duo app installed and configured for use with Two-Step Verification.
  2. Enter a Passcode from a text message, one-time-use code, authenticator app, or a SafeID fob.
  3. Call me to send an automated phone call to the selected phone number.

When checked, the Remember me for 30 days check box will remember the browser or client for 30 days before requiring use of Two-Step again.

Important note: Clicking the “remember me” checkbox works per client, not per device. A user with both Microsoft Office and Skype for Business on their device will need to use Two-Step verification to log into each program separately.

Only perform the steps below if you are sure that the user is already enrolled in Penn Two-Step Verification! Any user added to a group indicated above but not enrolled in Penn Two-Step Verification will be unable to log into their PennO365 account!

Please note: Enabling or disabling users for Two-Step Verification requires either Penn Two-Step administration privileges or access privileges to the O365 Tools application.

To enable a user for Two-Step Verification with PennO365:

  1. Log the user out of all O365 clients (Outlook, Teams, Skype for Business, etc) on all devices
  2. Log into grouper.apps.upenn.edu.
  3. Navigate to Root > penn > isc > ait > apps > O365 > twostepProd > o365schoolsCenters
  4. Select your school or center’s group (e.g. o365twoStepIsc for ISC) and add the user(s) you wish to enable for PennO365 with two-step verification to that group.


Important Note: After a user is added or removed from a PennO365 Two-Step group, it can take up to an hour before the change will take effect.

During or immediately after this transition time, existing O365 clients (Outlook, Skype for Business, Teams, etc) may exhibit unpredictable behavior if the user has already logged in. While this behavior tends to resolve itself within an hour or two, the best practice for enabling new users is to completely log out of O365 apps before the cutover and log back in after the transition is complete.  If unusual client behavior persists, rebooting the affected device entirely may also help.

 

To disable a user for Two-Step Verification with PennO365:

  1. Log into grouper.apps.upenn.edu
  2. Navigate to Root > penn > isc > ait > apps > O365 > twostepProd > o365schoolsCenters
  3. Select your school or center’s group
  4. Use the “Remove selected members” or “Revoke Membership” option to remove the user.

How does PennO365 with Two-Step Verification differ from Two-Step Verification for websites?

PennO365 uses the same system for multi-factor login that PennWeblogin uses. The interface is slightly different, and users will log in using their PennO365 credentials and not their PennKey, but otherwise the process is the same. Any changes that users make to their Two-Step Verification profile will be reflected in both PennO365 with Two-Step and PennWeblogin with Two-Step.
 

Who can enable or disable users for PennO365 with Two-Step Verification?

Local IT support providers with access to the PennO365 tools or Two-Step administrators can enable or disable users for PennO365 Two-Step. Schools and Centers can decide who should be responsible for enabling or disabling their users for Two-Step Verification with PennO365. Two-Step administrators or other support providers already familiar with the PennGroups interface are recommended.

 

What users should be enabled for PennO365 with Two-Step Verification?

Each School and Center is best positioned to determine which of their users should be enabled for PennO365 with Two-Step Verification. Please note that enrollment in Penn Two-Step Verification is a prerequisite for using PennO365 with Two-Step Verification. As this is a soft rollout of a new feature, users that are uncomfortable with change to their workflow or who are easily frustrated are not recommended candidates. In particular, users that are unwilling or unable to move away from unsupported clients such as volume-licensed Office or Apple Mail should not be enabled for Two-Step Verification for PennO365.

 

Will Two-Step Verification be required for all PennO365 users at the University?

As January 2019, there are no plans to require Two-Step verification for PennO365 users. Should this change in the future, ISC will work with the schools and centers to create a rollout plan that works best for everyone.

 

How should users who lose their second factor log into PennO365?

Recovery options for Two-Step Verification when using PennO365 are the same as those for PennWeblogin-protected websites. Should none of a user’s Two-Step Verification lifelines be available, users can call the Two-Step emergency hotline to receive a one-time code. Please see the Penn Two-Step FAQ at https://www.isc.upenn.edu/how-to/two-step-faq for further information.

 

What clients and operating systems has ISC tested with PennO365 using Two-Step Verification?

ISC has tested all four major operating systems (Windows, MacOS, iOS, and Android) with recommended O365 clients, (Microsoft Office 365 Click-to-Run, Skype for Business, Teams) and supported browsers (Chrome, Firefox, IE, Edge, and Safari) using all currently supported methods of two-factor authentication (push notifications, text messages, codes, and phone calls). The experience was found to be largely consistent across platforms, applications and browsers. Several unsupported configurations and clients were tested as well; performance and behavior was much less consistent in those instances and are strongly discouraged for general use.


What should I do if I run into an issue with Two-Step Verification using PennO365?

If you experience an issue using Two-Step Verification with PennO365, please report it to ISC Client Care.