Multi-factor authentication for role accounts
Concordia is currently onboarding all role accounts to multi-factor authentication to ensure that digital assets, information, and user identities remain safe. Instructional and Information technology Services (IITS) is actively contacting role account owners via role-accounts-owners@concordia.ca and device-management@concordia.ca with detailed instructions on the next step required to maintain access to your account to ensure a smooth transition.
Setting up MFA on your role account
Step 1
Properly configure MFA to your role account(s) using one of the following options as a way of generating your second-factor authentication:
Step 2
Make sure you are using a modern email client that supports MFA to maintain access. To upgrade or configure your account to a modern email client please select the step-by-step guide for your preferred computer and/or mobile email client.
What is Modern email client? Modern email clients use modern authentication practices at sign-in, such as MFA, rather than only requiring a single username and password when accessing an account. This provides greater security for your accounts and the information within.
Step 3
Contact the IT Service Desk at help@concordia.ca or 848-2424 ext. 7613 if there are any additional users who need access to your role account. A technician will be assigned to your request to assist you with adding additional account users.
Increasing the level of security
Setting up MFA on role accounts
In order to properly activate MFA on a role account, the role account owner and all users must be onboarded at the same time through a one-on-one session with an IITS representative. The entire process takes roughly 45 minutes.
Some mailboxes associated with role accounts may be converted to shared mailboxes (or Secured mailboxes). Roll accounts (associated mailboxes) that maintain the following four criteria will be converted:
- There is a mailbox associated with the role account.
- Users are reading/sending emails using the mailbox associated with the role account.
- Users are viewing contact/calendar information from the mailbox associated with the role account.
- Users are booking rooms using the mailbox associated with the role account.
What is the difference between a shared/secured mailbox and a role account mailbox?
Role accounts mailboxes are accessible to all users by signing into Outlook with the same username and password. When using the role account, you cannot identify who has sent or added content.
Shared/Secured mailboxes are accessible using an individual's personal account and credentials (netname/password/MFA). A shared/secured mailbox will be visible as an additional mailbox in your personal Outlook. Because shared/secured mailbox users sign in through their own personal accounts, the content they send and add can be traced back to their credentials. Additionally, because they are signing into their personal accounts using MFA, it eliminates the need to onboard shared/secured mailboxes to MFA.
Important information about your new shared/secured mailbox:
- You will no longer be able to access MS365 accounts via your shared/secured mailbox, instead you will need to access MS365 through your personal account.
- To access your shared/secured mailbox on your mobile device, you will need to add your shared/secured mailbox into your Outlook mobile app. For assistance, contact the Service Desk
- Currently, the Apple mail app and Thunderbird mail app are not compatible. For assistance, contact the Service Desk
- When using OWA to access your mail you will no longer be able to access your shared/secured mailbox using your role account credentials.
FAQ
A role account allows a group of users to access email, wireless, campus computers and other major computer systems like the Student Hub using the same netname and password as a role or a position.
For example: UCONPRES is a role account used by a group of employees working in the Office of the President.
There are two types of role accounts — sponsored and functional-related:
- Sponsored netnames are granted to users who are not paid employees of the University, but who will be on campus for an extended period. These accounts must be requested by an active Concordia faculty or staff member.
- Functional netnames are created for a specific role or position at Concordia. These accounts must be requested and owned by an active Concordia faculty or staff member, but the ownership may be transferable depending on the account's function.
Many mailboxes associated with the role accounts will be converted into shared/secured mailboxes which will allow personal MFA to be applied to account sign-ins for all shared/secured mailbox users. Role accounts (associated mailboxes) that have not been converted to shared/secured mailboxes will be individually onboarded to MFA with the assistance of an IITS representative.
A shared/secured mailbox is the same as a personal mailbox except that many users can access the same mailbox through their mail client and with their personal credentials (netname, password, MFA).
Converting an associated mailbox of a role account to a shared/secured mailbox eliminates the need to activate MFA. Shared/secured mailboxes are accessible via individual personal account credentials which are already protected by MFA.
Once converted, you will be able to access the shared/secured mailbox of the role account through your mail client using your own credentials. IITS will make sure that you have access and the right level of permission (read/send emails, book meetings and view the calendar/contact info of the shared/secured mailbox). However, please note that a shared/secured mailbox cannot be seen/accessible via an Apple mail client or a Thunderbird mail client. The workaround is to access the shared/secured mailbox via Outlook mail client or Outlook on the Web (web version of Outlook).
- Please note that a shared/secured mailbox is only accessible/viewable through a Microsoft Outlook mail client (Windows or MAC OS)
- Once converted, your shared/secured mailbox will be automatically added into your personal mailbox as an additional mailbox (see the red rectangle in the screenshot below)
- For MAC OS computers, please follow these steps:
a) In the Tools menu, choose Accounts, and select the account that has access to the mailbox.
b) Select Delegation and Sharing
c) Choose Shared With Me tab
d) Choose + to add a shared mailbox
1. Make sure to install Outlook apps on your mobile phone (Android or iPhone)
2. Add your personal account into Outlook apps (follow the procedure by clicking here)
3. Open Outlook apps
4. Click on this button (top left of your screen)
5. Click on this button (middle left of your screen)
6. Click on “Add a shared mailbox”
7. Enter the email address of your shared mailbox (role account’s mailbox)
8. Your shared/secured mailbox will be automatically added in Outlook apps
To access/view a shared/secured mailbox on the Web, please follow the procedure below:
1. Go to https://outlook.office.com/
2. Enter your Concordia email address.
3. Authenticate yourself another time by adding your Concordia email address and password.
4. Using your Microsoft Authenticator apps, your SMS code or your hardware token key, approve the sign in request.
5. Stay signed in? No or Yes, both options are working.
6. Right click on “Folder”, click on “Add shared folder” and enter the name of your shared mailbox (role account mailbox). See the red rectangle below
You will no longer be able to access MS365 services via your shared/secured mailbox, instead you will need to access MS365 services through your personal account.
If you are using your role account credentials to access MS365 services, please contact help@concordia.ca as your conversion to a shared/secured mailbox will not be undertaken. In this case, MFA will need to be manually activated on your role account.
No, role accounts that do not have a MS365 license are not part of this new MFA phase.
Once we have more information about each role account, role account owners and their associated users will be provided with a date when their mailbox will be converted to a shared/secured mailbox.
The only option is to manually activate MFA on the mailbox associated with the role account. This will be done through a one-on-one onboarding session with an IITS representative. The role account owner and all users will need to be onboarded at the same time.
No, you will access your shared/secured mailbox using your own personal credentials which are already protected by MFA.
You can contact the Service Desk for assistance