View All Resources

PennO365 with Two-Step Verification

PennO365 works with the University’s multi-factor authentication service, Two-Step Verification. Two-Step Verification provides an additional level of security to both PennKey and PennO365 credentials. For more information about the Two-Step Verification service, see www.upenn.edu/twostep.

Users interested in enrolling in PennO365 with Two-Step Verification should contact their local IT support providers for information about enrolling.

Please note that users must first be enrolled in Penn Two-Step Verification to use PennO365 with Two-Step Verification. 

PennO365 works with the University’s multi-factor authentication service, Two-Step Verification. Two-Step Verification provides an additional level of security to both PennKey and PennO365 credentials. For more information about the Two-Step Verification service, see www.upenn.edu/twostep.

Users interested in enrolling in PennO365 with Two-Step Verification should contact their local IT support providers for information about enrolling.

Please note that users must first be enrolled in Penn Two-Step Verification to use PennO365 with Two-Step Verification. 

 

Recommended email and calendaring clients

For the best experience, ISC strongly recommends using Outlook for Office 365 (also known as ProPlus and click-to-run), Outlook on the Web, and Outlook apps for both Android and iOS when using PennO365 with Penn’s Two-Step Verification system. Outlook users can more easily complete initial configuration with no or minimal IT support. In addition, Outlook email and calendaring clients provide the smoothest ongoing user experience, reducing the overall support workload, and encouraging adoption.

Microsoft O365 relies on its own proprietary framework called “Modern Authentication” to enable integration with third-party strong-authentication services, like DUO, which provides Penn’s Two-Step Verification system. Microsoft explicitly supports its own email and calendaring clients (Outlook, Outlook on the Web, Outlook apps, etc.) for “Modern Authentication”-based integration with PennO365 but does not guarantee support for other vendors’ email or calendaring applications.

While “Modern Authentication” using Two-Step for PennO365 may work with the latest versions of Apple Mail, the native iOS mail app, and some Android clients, users of non-Microsoft email and calendaring clients are more likely to experience configuration and support issues. More information about configuring non-Microsoft clients can be found at PennO365 Outlook Configuration Instructions.

If you experience issues with your PennO365 account using the Mail app for iOS or macOS, some users have reported that removing and re-adding their PennO365 account has helped.

ISC will provide organizations with a weekly report of PennO365 email accounts that are using non-Microsoft clients as part of the deployment process.

Using O365 Two-Step

Logging into PennO365 using Two-Step Verification

Logging into PennO365 using Two-Step Verification is very similar to using Two-Step with Weblogin-protected web sites.  The first thing a user will need to do is log into their PennO365 account on the website or client software.

Important note: When logging into a PennO365 account on a Windows system, be sure that the domain selected is “upenn.edu”.  Windows systems connected to a domain may substitute that domain’s name when logging into a PennO365 account. Should this happen, you will need to change the domain to “upenn.edu” to log in successfully.

Upon logging in with a PennO365 login and password, Two-Step-supported clients or web browsers will display a window similar to the following image:

O365 Two-Step Prompt

Options on this page will differ based on the selection from the “Device:” drop-down menu.

  1. Send me a Push to send a Push notification to a smartphone with the Duo app installed and configured for use with Two-Step Verification.
  2. Enter a Passcode from a text message, one-time-use code, authenticator app, or a SafeID fob.
  3. Call me to send an automated phone call to the selected phone number.

When checked, the Remember me for 30 days checkbox will remember the browser or client for 30 days before requiring the use of Two-Step again.

Important note: Clicking the “remember me” checkbox works per client, not per device. A user with both Microsoft Office and Skype for Business on their device will need to use Two-Step verification to log into each program separately.

ISC has created an application that allows you to enroll your PennO365 account in Two-Step Verification. Enrolling your PennO365 account in Two-Step Verification provides additional security for your PennO365 account by adding a verification step in addition to your PennO365 username and password.

In order to use Two-Step Verification for PennO365, you must first have a PennO365 account and already be enrolled in Two-Step Verification. The Duo Mobile app is strongly recommended for the best user experience. You should also be using the most up-to-date version of the Outlook application for Office365 (formerly Click-to-Run) or Outlook mobile app for your Android or Apple smartphone. 

This self-enrollment tool should only be used with the support of your local computing support organization or support person.

Before you enroll in Two-Step Verification for PennO365 please log out of your Microsoft account on all of your devices.

Authenticate with your PennKey and PennKey password.

https://grouper.apps.upenn.edu/grouper/grouperUi/app/UiV2Main.indexCustomUi?operation=UiV2CustomUi.customUiGroup&groupId=61bcaad67d57438ab1fea11c426c2f64

Click the Enroll button to begin.

After you have enrolled your status will indicate enrollment.

After you have completed enrollment wait 15 minutes and then open Microsoft Outlook using the desktop application, the app on your smartphone, or the Outlook web client. Sign into your account using your Microsoft account and password. After you have successfully signed in you will be prompted to initiate, or generate, a Two-Step Verification code. With Two-Step for PennO365 you must initiate the verification by clicking “Send Me a Push” or “Enter a Passcode.”

Two-Step Verification for PennO365

If this is a computer or device that you solely control you can click “Remember me for 30 days” and will not be prompted for verification again unless the application or browser is updated or it has not been used for 30 days.

You can change the device used to initiate or generate the code by using the Device pull down menu.

You can then access your email.

Troubleshooting

If you do not have a PennO365 account you will see an error when you attempt to enroll.

If you are not enrolled in Two-Step Verification you will see an error when you attempt to enroll.

If you encounter these errors please contact your local computing support organization or support person.

You may also get a message about your session expiring if you delay verification. If that happens you must start again and log into your PennO365 account again.

Only perform the steps below if you are sure that the user is already enrolled in Penn Two-Step Verification! Any user added to a group indicated above but not enrolled in Penn Two-Step Verification will be unable to log into their PennO365 account!

Please note: Enabling or disabling users for Two-Step Verification requires either Penn Two-Step administration privileges or access privileges to the O365 Tools application.

To enable a user for Two-Step Verification with PennO365:

  1. Log the user out of all O365 clients (Outlook, Teams, Skype for Business, etc) on all devices
  2. Log in to grouper.apps.upenn.edu.
  3. Navigate to Root > penn > isc > ait > apps > O365 > twostepProd > o365schoolsCenters
  4. Select your school or center’s group (e.g. o365twoStepIsc for ISC) and add the user(s) you wish to enable for PennO365 with two-step verification to that group.


Important Note: After a user is added or removed from a PennO365 Two-Step group, it can take up to an hour before the change will take effect.

During or immediately after this transition time, existing O365 clients (Outlook, Skype for Business, Teams, etc) may exhibit unpredictable behavior if the user has already logged in. While this behavior tends to resolve itself within an hour or two, the best practice for enabling new users is to completely log out of O365 apps before the cutover and log back in after the transition is complete.  If unusual client behavior persists, rebooting the affected device entirely may also help.

 

To disable a user for Two-Step Verification with PennO365:

  1. Log into grouper.apps.upenn.edu
  2. Navigate to Root > penn > isc > ait > apps > O365 > twostepProd > o365schoolsCenters
  3. Select your school or center’s group
  4. Use the “Remove selected members” or “Revoke Membership” option to remove the user.

Why should I sign up for Two-Step Verification for PennO365?

The University is working towards having all PennO365 users enrolled in Two-Step Verification for PennO365. By setting up Two-Step Verification, you add an extra layer of security to your PennO365 account. 

 

How do I sign up for Two-Step Verification for PennO365?

You can enroll in Two-Step Verification for PennO65 by going to the link sent to you from your computing support organization. To use Two-Step Verification for PennO365, you must already be enrolled in Two-Step Verification and have a PennO365 mailbox. You should only enroll to use Two-Step Verification for PennO365 after checking with your local computing support staff to make sure you are using the recommended and supported software.

 

What Office 365 clients can I use with Two-Step Verification for PennO365?

  • Two-Step Verification for PennO365 is only recommended with the latest version of Outlook for Office365 (formerly Click-to-Run), Outlook on the Web, and the current version of the Outlook app for both Android and iOS.
  • The use of other email clients is not recommended. In testing, native email clients such as Windows Mail, Apple Mail, the Android Mail app, and others operated inconsistently. 

 

What Two-Step Verification methods can I use?

  • ISC recommends using the Duo Mobile app on your iOS or Android smartphone to receive push notifications or generate single-use verification codes.
  • SMS messages, automated phone calls, and codes generated by a SafeID keychain are also supported.
  • See the Penn Two-Step Verification FAQ for more on supported second factors. https://www.isc.upenn.edu/how-to/two-step-faq

 

When will I have to use Two-Step Verification for PennO365? How often will I be prompted for the second factor?

  • When you log into Outlook for the first time after enrolling, you will be prompted for a Two-Step Verification code. You will only be prompted again if there is a significant change (e.g., upgrade to Outlook), if you have signed out on that device, or haven't used the device for a longer period of time.  
  • Once you've registered an Outlook client on a device and selected the "Remember me for 30 days", you don't need to register for the life of the device as long as that client and device are regularly used. The 30-day clock restarts each time you use the Outlook client on that device.
  • A new login from a different device, or client (e.g., a different web browser), however, will result in a Two-Step Verification prompt.

 

Do I use Two-Step Verification for PennO365? Can I turn it off?

  • Once you have set up Two-Step Verification for PennO365, you will leave it on so that it can protect your account, whether you are home, on campus, or traveling.
  • Two-Step Verification protection will remain on while you are traveling.
  • You should not use the "Remember me for 30 days" checkbox with any device that is shared with anyone else, and you should sign out of the application or browser when finished.

 

Can I enable Two-Step Verification for PennO365 on some of my devices but not others?

Two-Step Verification for PennO365 is applied to your account and will be turned on for all the devices you have and will prompt for Two-Step Verification on the first use on each device using Outlook. To fully protect your email using Two-Step Verification, it is recommended only to use the Outlook client on each device.

 

If I use the web portal when traveling, will the next person who uses the machine have access to my account?

  • To make sure no one has access to your account, please use the following steps:
    • When using a shared device, do not check "Remember me for 30 days" and be sure to sign out of your Outlook when finished.
    • Be sure to never save passwords on shared devices.

 

Quick tips for Two-Step Verification for PennO365 

  • Use the most up to date versions of Microsoft Outlook on any device you use.
  • Use Duo Mobile for the best Two-Step Verification experience.
  • When you use a new device or browser for the first time, expect a verification prompt.
  • If you are using a device or computer that is used only by yourself, check "Remember me for 30 days" to decrease the number of Two-Step Verification prompts you may receive. 
  • After Two-Step Verification is initially turned on for your account, you may receive multiple verification prompts, this is normal and will resolve as you access devices and browsers.