What can I expect when MFA is deployed on my Oxford SSO account?
MFA will deployed on your SSO account by 6am on your go live day.
Once MFA has been applied to your SSO account, any applications that you are currently logged into, including Azure-based services such as Outlook, OWA, Teams, OneDrive, Office, SharePoint Online and Dynamics365, will begin to prompt for multi-factor authentication. Therefore we recommend you close these applications prior to your MFA being enabled to ensure a smooth experience.
There is NO requirement to shut down your machine prior to MFA being deployed (especially if you are using a remote desktop).
We strongly advise that you setup authentication methods prior to MFA being deployed on your account and if possible select two methods that don’t rely on the same device, for example a mobile app and a landline.
When do I get prompted for MFA?
MFA prompts should be expected at the start of each session. Over time, with repeated use of the same devices from the same locations, these prompts may decrease in frequency. Some systems may prompt for MFA more often than others, and unusual account activity may also increase the frequency of MFA prompts. Simply changing or staying on the same IP address is not enough to either trigger or suppress MFA prompts on their own.
Browser based sessions will timeout after several days. This timeout applies to browser based access to Azure login based services (e.g. Outlook, OWA, Teams, OneDrive, Office, SharePoint Online, Dynamics365, Teams Web Client), and Shibboleth protected resources. The sessions are not persistent, on completely closing the browser a new login will have to be performed.
If a valid login is performed in a browser for one service, no further login should be required until the session expires/sessions are revoked/browser is closed (sessions are shared in tabs).
If you use several different browser sessions (chrome, Firefox, edge etc.) you will be prompted to authenticate after timeout for each browser session
Note: In addition to the above some services may require you to refresh your login, these rules are imposed by the individual services, for example Outlook Web Access, after 8 hours of inactivity
Applications, unlike browser based applications have a 90 day rolling token. Examples of applications are:
- Outlook (Windows, Android, Mac/iOS)
- Mac Mail
- Office applications
- Teams on Windows (NB: not web version)
- OneDrive client for Windows
- Flow app for Mobile Devices
Note: Teams on Linux behaves like a browser application – as such, session times act in line with the browser session of several days