2-Step for Office 365 (Heelmail)

We have received several questions about using hardware tokens (YubiKeys, etc.) with 2-Step Verification. Office 365 does not currently support hardware tokens for their 2-Step solution. Microsoft is working with other large vendors on a standardized solution for providing the second factor that might include hardware tokens sometime in the future, but they do not have any published timetables for that. Currently, the only solutions for verifying your account with 2-Step in Office 365 require the use of a telephone or mobile device. Additionally, in order to maintain consistency and standardization across our 2-Step Verification applications, we do not support Yubikeys for Duo. However, we do provide support for Duo Tokens, which work well with Duo and are half the cost of Yubikeys.

To keep your email account safe, the University uses a security method called “2-Step Verification.” With this method, you verify that “you’re you” before you see certain sensitive information or access your Office 365 applications. You may verify by either using the Microsoft Authenticator App, phone call, or text a passcodeRead More…

What is Microsoft Azure Multi-Factor Authentication (MFA)?

This is a secondary authentication method that will verify you are you by using a secondary device.  Please read What is Azure Multi-Factor Authentication? for more detailed information.

The recommended method for 2-Step Verification is to use your smartphone or tablet with the Microsoft Authenticator app installed. The first step is to download and install the free Microsoft Authenticator app. Search for Microsoft Authenticator in your app store and follow the directions on your smartphone or tablet for installing the app.

Follow these steps to enroll for 2-Step for Office 365 (Heelmail). You only need to do this once.

  1. Go to onyen.unc.edu and click on 2-Step Verification for Office 365 (Heelmail).

  2. Sign in with your Onyen or guest ID and password.
  3. Choose the option to enroll then click on Enroll.
  4. Once you have enrolled please follow the instruction under Register Your Device.

When you first sign into an application (i.e. Office 365) that has 2-Step for Office 365 turned on, you will be prompted to set this up. Please follow the prompts carefully.

Depending on your choice, whether it is a phone call, texting you a code, or setting up the Microsoft Authenticator app (either code entry from the app or push notifications).  Whatever you choose Microsoft will set this as your default choice.  This can be changed at any time by accessing your Security Settings.

Setting up 2-Step for Office 365 for the first time:

  1. Go to office.unc.edu and at the UNC Login screen, you will see a Setup it up Now button.
  2. On the next screen, you will be given a drop down to choose your default choice on how 2-Step for Office 365 will contact you.
    1. Mobile App (recommended) – Here you can configure your mobile device. Please note only one mobile device may be configured at any given time.
      Decide how you want to verify your sign-in by choosing Receive notifications for verification or Use verification code (these options require you to have the Microsoft Authenticator installed, please see Install Microsoft Authenticator App toggle above).

      1. Receive notifications for verification. This option pushes a notification to the Microsoft Authenticator app on your smartphone or tablet. View the notification and, if it is legitimate, select Authenticate in the app.
      2. Use verification code. In this mode, the authenticator app generates a verification code that updates every 30 seconds. Enter the most current verification code in the sign-in interface.
    2. Office Phone – This option will be pulled from the Business Phone number listed in ConnectCarolina/UNC Directory. If your number is not listed correctly then please visit dir.unc.edu and update the business phone number.
    3. Phone – You may enter your mobile device number or landline that can be called.
      1. Send me a code by text message sends a text message containing a verification code. Following the prompt in the text, either reply to the text message or enter the verification code provided into the sign-in interface.
      2. Call me places an automated voice call to the phone number you provide. Answer the call and press # on the phone keypad to authenticate.
    4. Click Next, after choosing one of the above options.
    5. Follow the on-screen steps.
    6. Please read the Note below for optional steps.

Note:

  • The University recommends setting up an additional authentication method other than the default.  For example, if you set up the Microsoft Authenticator App as the default, setting up a landline (if one is available) would be great.  That way if you lose or forget your mobile device you will be able to authenticate. Please follow the instructions on Accessing or Changing 2-Step for Office 365 security settings to set up the additional method.
  • If you use Outlook 2013, or a Non-Microsoft email client whether is on a Mobile Device (iPhone/iPad or Android) or Computer (Mac or Win) you will need to set up an App Password for that client. Please follow the instructions on Create an App Password to use with Outlook 2013, Mobile Device Email apps (iPhone/iPad (iOS v10 or below) and Android), and Non-Microsoft Email Clients (Mac Mail and Thunderbird) below.
  1. Login to office.unc.edu.
  2. Click on your user profile icon in the upper right corner.
  3. Click on “My account”.
  4. Click on “Security & privacy”.
  5. Click on “Update your phone numbers used for account security.”

    1. On “what’s your preferred option?” Choose an option in the drop-down.
    2. On “how would you like to respond?”:
      1. Authentication Phone: This can be a mobile device number or any landline phone. Whatever number is entered is the number that will be the primary number used when calling.
      2. Office Phone (optional, Employees Only): If this is checked you can use the option to verify with a secondary device.  I will use the number listed.  This number is what is set as your Business number in dir.unc.edu.
      3. Alternate authentication phone (optional): This can be a mobile device (that can accept calls or text) or landline phone.
      4. Authenticator App (optional, unless you choose to use the app): This is where you can configure the Microsoft Authenticator app.  Note:  In the case, you chose not to set it up the first time.
  6. Click on Save when you are ready to save your changes.
Microsoft’s recommendation is to create an App Password for each Non-Microsoft client used. You will need to use the password you create below instead of your onyen password to authenticate to the Non-Microsoft Client.
  • If you are running iOS version 11+ or macOS version 12 the mail app is designed to work with 2-Step for Office 365. However, you will need to remove and re-add your account to be able to authenticate Office 365 servers. You do not need an app password.
  • Please follow the instructions from Microsoft Set up email using the iOS Mail App.
  • In order to find your iOS version please visit Find the software version on iPhone, iPad, or iPod or Find out which macOS your Mac is using.
  •  If you are running iOS version 10, macOS version 11, or older then please follow the “How to Create an App Password…” instructions below.

How to Create an App Password:

Click this button Create App Password then skip to Step 7 below.

  1. If the above button does not work then please login to office.unc.edu.
  2. Click on your user profile icon in the upper right corner.
  3. Click on “My account”.
  4. Click “Security & privacy”.
  5. Click on “Update your phone numbers used for account security.
  6. Click on Create and manage app passwords.
  7. Click on Create.
  8. Enter a name for the password. Click Next.
  9. The password will show on the pop-up screen.  Click on Close when finished.
    You will need to copy this password and keep it in a safe place in case you need to reuse it for you Non-Microsoft Clients. Otherwise, you can always go back in and create a new password. Please visit the Password Manager document for more information on recommended applications.

If you receive a push notification not in conjunction with a login you initiated, you can report it directly from your mobile phone app by selecting ‘Deny‘. If you accidentally approved a push notification or if you received an unexpected voice call from Microsoft, you should report these to the service desk immediately. In rare cases, this could be attempted abuse by someone with knowledge of your password.


In order to set up your non-Microsoft email clients, you will need your 2-Step for Office 365 App Password you created on the How to Get Started tab and Create an App Password for your Non-Microsoft Email Clients. The 2-Step for Office365 App Password will be used instead of the onyen password for the email client password field.
  • If you are running macOS version 12 the Apple Mail app is designed to work with 2-Step for Office 365. However, you will need to remove and re-add your account to be able to authenticate Office 365 servers. You do not need an app password.
  • In order to find your macOS version please visit Find out which macOS your Mac is using.
  • If you are running macOS version 11 or below then please follow the instructions below.
  1. Launch Apple Mail. If you are starting Mail for the first time, the setup wizard will guide you through setting up your account. If you have used Mail previously to access a mail account, select Mail > Preferences from the menu bar.
  2. Within Mail Preferences, select Accounts.
  3. Near the bottom of the Accounts pane, select the (+) sign to add an account.
  4. Choose the account type radio button by Exchange. Click Continue.
  5. Enter the information as you are prompted into the appropriate fields, including your name, email address (as onyen@ad.unc.edu), your App password.
    Click Sign In.
  6. You will receive an authentication error “Unable to verify account name or password.”, which you will need to enter your username as (as onyen@ad.unc.edu) then click Sign In.
  7. It will fail authentication error again, click on Next.
  8. You will need to manually enter the server names:
    Internal URL:  outlook.office365.com
    External URL: smtp.office365.com
  9. After your Exchange account is verified, you can select which apps to sync: Mail, Contacts, Calendar, Notes, and Reminders. By default, none are selected to sync. You will need to choose, we recommend choosing Mail, Contacts, and Calendar. You can turn any of these options off at any time. Click Done.
    Note:  Since Mail, Contacts, and Calendar were chosen, the apps will be configured and will begin synchronizing with Exchange.

macOS

  1. When setting up a new account, you may be prompted by Thunderbird to create a new email account.  Click on Skip this and use my existing email button.
  2. On the Mail Account Setup window, Enter the information as you are prompted into the appropriate fields, including your name, email address (as onyen@ad.unc.edu) and password (App Password).
  3. It will try to automatically set up the account, please click Continue and Manual Config. Enter the Connection Settings below:
    Connection Settings
    • Incoming: IMAP
    • Server Hostname: outlook.office365.com
    • Port: 993
    • SSL: SSL/TLS
    • Authentication: Normal Password
    • Username: onyen@ad.unc.edu

     

    • Outgoing: SMTP
    • Server Hostname: smtp.office365.com
    • Port: 587
    • SSL: STARTTLS
    • Authentication: Normal Password
    • Username: onyen@ad.unc.edu
     
  4. Click on Done.

Win

  1. Launch Thunderbird. If you are starting Thunderbird for the first time, the setup wizard will guide you through setting up your account. If you have used Thunderbird previously to access a mail account, or if the Account Wizard does not launch automatically, select

    TB-Win-Menu > Options >Account Settings from the menu bar.
  2. Within the Account Settings pane, select Add Mail Account… from the Account Actions drop-down.
    1-Exch-TB-Win-Account
  3. Enter the information as you are prompted into the appropriate fields, including your name, email address (as onyen@ad.unc.edu) and password (App Password).
    2-Exch-TB-Win-Info
  4. Click Continue and Manual Config
    Connection Settings
    • Incoming: IMAP
    • Server Hostname: outlook.office365.com
    • Port: 993
    • SSL: SSL/TLS
    • Authentication: Normal Password
    • Username: onyen@ad.unc.edu

     

    • Outgoing: SMTP
    • Server Hostname: smtp.office365.com
    • Port: 587
    • SSL: STARTTLS
    • Authentication: Normal Password
    • Username: onyen@ad.unc.edu
  5. Click Done.
  • If you are running iOS version 11 the mail app is designed to work with 2-Step for Office 365. However, you will need to remove and re-add your account to be able to authenticate Office 365 servers. You do not need an app password.
  • Please follow the instructions from Microsoft Set up email using the iOS Mail App.
  • In order to find your iOS version please visit Find the software version on iPhone, iPad, or iPod.
  • If you are running iOS version 10 or below then please follow the instructions below.

To configure your iPhone for your Office 365 account, go to the iOS-SettingsApp app and choose Mail, Contacts, and Calendars.

2-Office365-ios-Mail

Tap Add Account… . When you are presented with a list of account choices, choose Exchange.

3-Office365-ios-Exchange

In the Office 365 screen, use the following credentials:

Configuration Settings
Email Address: onyen@ad.unc.edu

Domain: leave blank

Username: onyen@ad.unc.edu

Password: App Password

Server: outlook.office365.com

Tap Next.

4-Office365-ios-settings

If you get an Unable to Verify Certificate pop-up, tap Accept. The iPhone simply wasn’t able to reach the Exchange ActiveSync server automatically based on your e-mail address.

After it verifies your Exchange account information, a new field called Server will appear. Enter outlook.office365.com as the server, then tap Done.

5-Office365-ios-ManualSettings

After it verifies your Exchange information once more, tap Save to save your changes.

7-Office365-ios-Sync

This document is written based on the Standard Email App available for Android.  The screenshots below are based on Samsung Galaxy S8 device and Android 7.x; each Android device may be a little different.

  1. Open your Email App.
  2. Tap on Add New Account.
  3. Enter the information as you are prompted into the appropriate fields, including your email address (as onyen@ad.unc.edu) and password (App Password). Tap on Sign In.
  4. Choose Microsoft Exchange ActiveSync.
  5. You may receive a prompt that asks you to Require a Password before phone startup.  You will need to choose that option due to our security settings. Click Next.
  6. Choose how often and how many emails you want to Sync. Along with choosing what you want to Sync (Contacts, Calendar, and Tasks).  Please Leave Sync Messages turned off, this will synchronize your personal text messages from your mobile device.
  7. Enter a description or leave default for Account Name.
  8. At the Device Administrator screen, you will need to click on Activate to set up the account.
  9. If prompted tap update on the Device Security screen.
  10. Click Done. Your account is setup and will Synchronize your email depending on what you chose to sync.
If you plan to travel then please do the following before you go:

  1. Download and install the Microsoft Authenticator App on the registered mobile devices. Test the Microsoft Authenticator App before travel by trying to access UNC-Chapel Hill Office 365 account.
  2. Make sure you configure your device and Microsoft Authenticator App (see STEPS 1 – 3 below).
  3. You can also include a landline or international number as an option if it is available where you are going.
  4. SMS messaging will also work and will provide a passcode that can be used for the day. Try it out before you leave if possible.
  5. Please click on the respective toggle below to walk through the steps.

Note:

  • The Microsoft Authenticator app will work without a network connection – you will need to use the passcode as your secondary verification.
  • Push notifications will not work without wifi or a data plan.
  • Please contact the ITS Service Desk at 919-962-HELP(4357) if you are traveling and need further assistance with the registration or configuration process.

The recommended method for 2-Step Verification is to use your smartphone or tablet with the Microsoft Authenticator app installed. The first step is to download and install the free Microsoft Authenticator app. Search for Microsoft Authenticator in your app store and follow the directions on your smartphone or tablet for installing the app.

  1. Login to office.unc.edu.
  2. Click on your user profile icon in the upper right corner.
  3. Click on “My account”.
  4. Click on “Security & privacy”.
  5. Click on “Update your phone numbers used for account security.”

    1. On “what’s your preferred option?” Choose the option “Use verification code from app” in the drop-down.
    2. On “how would you like to respond?”:
      1. Make sure the box is checked by; Authenticator App: This is where you can configure the Microsoft Authenticator app.
      2. Click on configure button.
      3. A QR Code will appear on the screen
      4. On your device open the Microsoft Authenticator App and click on the 3 dots then add account.
      5. Scan the QR code on your screen with the device.
      6. Click on Next and Finish. Your Microsoft Authenticator App is now configured for your account on this device.
  6. Click on Save on the Additional Security Verification screen when you are ready to save your changes.
  7. Follow the instructions “Accessing the verification code on the Microsoft Authenticator App” to be able to access the verification code to verify.
  1. On your device open the Microsoft Authenticator App.
  2. View the verification code on your mobile app.
  3. You have two options; you can either have the default option set to use the verification code from the app (please see Configure the Microsoft Authenticator App instructions above) or you can use the Sign in a different way?.
  4. If you have the default set to other than “Use verification code from the app.” then please do the following:
    1. Click on Sign in a different way?

    2. Choose the option Use a verification code from my mobile app.
  5. Enter the code on the screen and click verify.
  6. You will be prompted to stay signed in. If you trust the computer or device you are accessing this account from then we recommend using this option as it will keep you signed in and you only have to verify once (as long as that session is active). If this is a public computer or device (example: at an Internet Cafe’ or library) then please click on No.
  1. Login to office.unc.edu.
  2. Click on your user profile icon in the upper right corner.
  3. Click on “My account”.
  4. Click on “Security & privacy”.
  5. Click on “Update your phone numbers used for account security.”

    1. On “what’s your preferred option?” Choose an option (Call my authentication phone or Text code to my authentication phone) in the drop-down.
    2. On “how would you like to respond?”:
      1. Authentication Phone: This can be a mobile device number (that can accept calls or text SMS code), landline phone, or international number. Whatever number is entered is the number that will be the primary number used when calling or texting.
      2. Alternate authentication phone: This can be a mobile device (that can accept calls or text SMS code), landline phone, or international number.
  6. Choose one of the options or both that will work for your travel plans.  If you choose an international number please make sure to choose the appropriate country code in the drop-down by the Authentication Phone or Alternate authentication phone field(s).
  7. Click on Save when you are ready to save your changes.
  8. Once this is setup it will either call you or text you a code that you can use to verify.

This is a secondary authentication method that will verify you are you by using a secondary device.  Please read What is Azure Multi-Factor Authentication? for more detailed information.

Yes, you can create one App Password for all Non-Microsoft email clients being used.  However, for security purposes, it is recommended by Microsoft that you create an App Password for each application used.
Yes, In order to use a Non-Microsoft email client with your Office 365 email account, you will need to create an App Password for each email client.  Please see How to Get Started tab and click on the Create App Password for your Non-Microsoft email clients.
No, you can only register one mobile device at a time by Microsoft design.  If you need the device to be your primary then you will need to go to the Register Your Device on How to Get Started Tab.
  1. Login to office.unc.edu.
  2. Click on your user profile icon in the upper right corner.
  3. Click on “My account”.
  4. Click on “Security & privacy”.
  5. Click on “Update your phone numbers used for account security.”

    1. On “what’s your preferred option?” Choose an option (Call my authentication phone or Text code to my authentication phone) in the drop-down.
    2. On “how would you like to respond?”:
      1. Authentication Phone: This can be a mobile device number (that can accept calls or text SMS code), landline phone, or international number. Whatever number is entered is the number that will be the primary number used when calling or texting.
      2. Alternate authentication phone: This can be a mobile device (that can accept calls or text SMS code), landline phone, or international number.
  6. Choose one of the options or both that will work for your travel plans.  If you choose an international number please make sure to choose the appropriate country code in the drop-down by the Authentication Phone or Alternate authentication phone field(s).
  7. Click on Save when you are ready to save your changes.
  8. Once this is setup it will either call you or text you a code that you can use to verify.
No, the user is not required to use the Universities 2-Step Verification.  However, that person is required to have a Microsoft account to view the file.  If the person has activated 2-Step Verification on their personal account then they will need to verify.

Verification is the act of proving you are who you say you are. You can think of it as “proving your identity.” A traditional form of verification is having a username and password. But if someone guesses or steals your password, unauthorized individuals could access your account.

2-Step Verification adds an additional “step” to the verification process. Typically, this is either “something you have” (such as an ATM card or a telephone) or “something you are” (such as a fingerprint). Combined with the factor of “something you know” (username and password), the second step adds another layer of security to your account.

No, you can use any cell phone, a tablet, or even a landline phone.

Microsoft provides the user with the option called Keep Me Signed In in order to reduce the number of times the user has to authenticate or verify with MFA.  It is recommended only to do this on computers that you trust. 

Note:

  • If you check the box by Don’t show this again, it will keep signed in until you actually sign out of that session. 
  • If your onyen password expires then you will be prompted to verify with MFA.
  • This feature uses cookies to save the session data.
    • if the cookies are cleared then you will be prompted to sign-in again.
    • If you have your browser set to remove cookies on exit you will be prompted every time to log in. Each browser has the option to clear cookies on exit, please view the document for your browser on how to remove this setting.


If you plan to travel then please do the following before you go:

      • Make sure you register all your devices and including a landline as an option if it is available where you are going.
      • Download and install the Microsoft Authenticator App on the registered mobile devices.
      • Test the Microsoft Authenticator App before travel by trying to access UNC-Chapel Hill campus VPN.
      • SMS messaging will also work and will provide a passcode that can be used for the day. Try it out before you leave if possible.
      • Please contact the ITS Service Desk at 919-962-HELP(4357) if you are traveling and need assistance with the registration process.

Note: The Microsoft Authenticator app will work without a network connection – you will need to use the passcode as your secondary verification. Push notifications will not work without wifi or a data plan.

Sometimes this occurs because an existing Office 365 account is set up on the iPhone/iPad and the modern two-factor protocol is not enabled on the iOS Mail App.  If you remove your Office 365 account and re-add it, this will enable the protocol.