Management Information Sheet
Office 365 - Introduction of Multi-Factor Authentication & other important information
Many of you will be familiar with Multi-Factor Authentication (MFA), also referred to as two-factor Authentication, from logging in to Internet Banking or similar services. It is the process of using more than just a password to log into a service.
Recommendations under GDPR are for this service to be enabled and with more and more people accessing their email accounts on other devices, other than those based solely in a school environment, it provides a further layer of security. This means if your password is compromised the person will not be able to log in to your account, therefore keeping sensitive data secure.
We are going to roll out MFA to all the Generic Accounts (@norfolk.sch.uk) but are aware that the process requires some familiarisation. We propose to turn this on for all Head@ accounts first to ensure these important accounts are further secured, and also to allow you to consider the MFA process.
We will enable MFA for Head@ accounts on Monday, 19th November. After this time, you will not be able to login to the online version of Outlook (www.office.com) until you have set MFA up.
Those that use the Outlook client to access their Head@ account will find it will still work until we fully 'enforce' MFA. This we will do on Monday, 26th November. After that date you will need to set MFA up by logging into www.office.com and creating an app password to continue to use the Outlook client.
Once implemented for head teachers, we will be phasing the rollout to other users over the forthcoming weeks. The planned rollout is as follows:
| Date | O365 Accounts | Action |
|---|---|---|
| w/c 19/11/2018 | Head@schoolname.norfolk.sch.uk | Enable MFA on the online version |
| w/c 26/11/2018 | Head@schoolname.norfolk.sch.uk | Enable MFA on Outlook clients |
| w/c 03/12/2018 | Office@schoolname.norfolk.sch.uk | Enable MFA on the online version |
| w/c 10/12/2018 | Office@schoolname.norfolk.sch.uk | Enable MFA on Outlook clients |
| 13/12/2018 onwards | All other email accounts ending @schoolname.norfolk.sch.uk | Enable MFA on both online and Outlook clients |
* An Outlook client would be installed on your device and would be found in the programs/applications area
Here is a link to our documentation to support this rollout:
We will update the guides, as well as add additional information on the website (www.ict.norfolk.gov.uk) throughout the implementation.
We are inviting schools/academies who would like to be an early adopter to register their interest by contacting the Service Desk (ict@norfolk.gov.uk) in advance of the dates shown above.
POP3 / IMAP connections
POP3 and IMAP are old ways to connect to mailboxes and, having carried out some analysis, make up a very small part of the way schools connect, so to increase security we will turn this connection method off on Friday, 9th November. Again, during analysis, many of the malicious attempts to connect to our mailboxes are via this method.
O365 Account deletions
Another security issue is that many accounts we have been asked to setup have never been logged into. The Office 365 platform highlights these as a security risk because if they are compromised there is less chance of someone noticing and they could have access to the platform for longer. As these accounts are redundant we will be deleting them from the platform in the New Year. They can be recreated if they are required in future.